You can do it in v9, although it's a little non-obvious. The trick is to turn your default 500-error handler, which is included by Sails as a fallback Express middleware, into a true Express error handler. To do that, simply change the function signature in your app's config/500.js
file from:
function serverErrorOccurred(errors, req, res)
to
function serverErrorOccurred(errors, req, res, next)
Express interprets any middleware with four parameters as an error handler, so when the CSRF code passes its error along, this method will run. Now, it's up to you inside the serverErrorOccurred
method to determine whether the error is coming from a missing CSRF token; I'd start by checking errors.status
to see that it's a 403, then check req.url
and req.method
to determine what the user was trying to do. Have fun!