How to test endpoints protected by csrf in node.js/express

The trick is that you need to wrap your POST test inside a GET and parse the necessary CSRF token from the cookie. First, this assumes you create an Angular-compatible CSRF cookie like this:

.use(express.csrf()).use(function (req, res, next) {  res.cookie('XSRF-TOKEN', req.session._csrf);  res.locals.csrftoken = req.session._csrf;  next();})

Then, your test could look like this:

describe('Authenticated Jade tests', function () {  this.timeout(5000);  before(function (done) {    [Set up an authenticated user here]  });  var validPaths = ['/help', '/products'];  async.each(validPaths, function (path, callback) {    it('should confirm that ' + path + ' serves HTML and is only available when logged in', function (done) {      request.get('https://127.0.0.1:' + process.env.PORT + path, function (err, res, body) {        expect(res.statusCode).to.be(302);        expect(res.headers.location).to.be('/login');        expect(body).to.be('Moved Temporarily. Redirecting to /login');        var csrftoken = unescape(/XSRF-TOKEN=(.*?);/.exec(res.headers['set-cookie'])[1]);        var authAttributes = { _csrf: csrftoken, email: userAttributes.email, password: 'password' };        request.post('https://127.0.0.1:' + process.env.PORT + '/login', { body: authAttributes, json: true }, function (err, res) {          expect(res.statusCode).to.be(303);          request.get('https://127.0.0.1:' + process.env.PORT + path, function (err, res, body) {            expect(res.statusCode).to.be(200);            expect(body.toString().substr(-14)).to.be('</body></html>');            request.get('https://127.0.0.1:' + process.env.PORT + '/bye', function () {              done();            });          });        });      });    });    callback();  });});

The idea is to actually login and use post the CSRF token you're getting from the cookie. Note that you need the following at the top of the mocha test file:

var request = require('request').defaults({jar: true, followRedirect: false});

what i do is expose a csrf token only in non-production:

if (process.env.NODE_ENV !== 'production') {  app.use('/csrf', function (req, res, next) {    res.json({      csrf: req.csrfToken()    })  })}

then have it be the first test and save it as a global. you'll have to use an agent in your tests so you consistently use the same session.

@dankohn's excellent answer has been most helpful. Things have changed a bit since then, regarding both supertest and the csurf module. Therefore, in addition to that answer, I have found that the following needs to be passed to the POST:

  it('should ...', function(done) {    request(app)      .get('/...')      .expect(200)      .end(function(err, res) {        var csrfToken = unescape(/XSRF-TOKEN=(.*?);/.exec(res.headers['set-cookie'])[1]);        assert(csrfToken);        request(app)          .post('/...')          .set({cookie: res.headers['set-cookie']})          .send({            _csrf: csrfToken,            ...          })          .expect(200)          .end(done);      });  });