diff --git a/routes/admin/index.js b/routes/admin/index.js index 83196f46b..dd321fbce 100644 --- a/routes/admin/index.js +++ b/routes/admin/index.js @@ -1,11 +1,9 @@ const express = require('express'); const router = express.Router(); const csrf = require('csurf'); -//const bodyParser = require('body-parser'); // setup route middlewares for CSRF protection const csrfProtection = csrf({cookie: true}); -//const parseForm = bodyParser.urlencoded({ extended: false }); // Get /password-reset expects a signed token (JWT) in the hash. // Links to this endpoint are generated by /views/password-reset-email.ejs. diff --git a/routes/index.js b/routes/index.js index 9ab0dff14..183b35c7a 100644 --- a/routes/index.js +++ b/routes/index.js @@ -1,21 +1,25 @@ const express = require('express'); const router = express.Router(); +const csrf = require('csurf'); +const csrfProtection = csrf({cookie: true}); router.use('/api/v1', require('./api')); router.use('/admin', require('./admin')); router.use('/embed', require('./embed')); -router.get('/', (req, res) => { +router.get('/', csrfProtection, (req, res) => { return res.render('article', { title: 'Coral Talk', - basePath: '/client/embed/stream' + basePath: '/client/embed/stream', + csrfToken: req.csrfToken() }); }); -router.get('/assets/:asset_title', (req, res) => { +router.get('/assets/:asset_title', csrfProtection, (req, res) => { return res.render('article', { title: req.params.asset_title.split('-').join(' '), - basePath: '/client/embed/stream' + basePath: '/client/embed/stream', + csrfToken: req.csrfToken() }); });