Yo need to store the generated token in the res.locals object to make it available from the template, for example using another middleware, in this example it's passed to the template in every request:
app.use(express.csrf());
app.use(function (req, res, next) {
res.locals.csrftoken = req.csrfToken();
next();
});
And then in your template
div
form(method="post",action="/login")
input(type="hidden", name="_csrf", value=csrftoken)
button(type="submit") Login
I recommend you to follow Adam Baldwin he writes the lift security blog about security in node.js You can find a secure express skeleton in his repo.