From 369ed3fc293e8ed808a784e5bb020210cf8f2447 Mon Sep 17 00:00:00 2001 From: gaba Date: Thu, 15 Dec 2016 13:12:03 -0800 Subject: [PATCH] Adds csrf protection to some routes. --- routes/admin/index.js | 2 -- routes/index.js | 12 ++++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/routes/admin/index.js b/routes/admin/index.js index 83196f46b..dd321fbce 100644 --- a/routes/admin/index.js +++ b/routes/admin/index.js @@ -1,11 +1,9 @@ const express = require('express'); const router = express.Router(); const csrf = require('csurf'); -//const bodyParser = require('body-parser'); // setup route middlewares for CSRF protection const csrfProtection = csrf({cookie: true}); -//const parseForm = bodyParser.urlencoded({ extended: false }); // Get /password-reset expects a signed token (JWT) in the hash. // Links to this endpoint are generated by /views/password-reset-email.ejs. diff --git a/routes/index.js b/routes/index.js index 9ab0dff14..183b35c7a 100644 --- a/routes/index.js +++ b/routes/index.js @@ -1,21 +1,25 @@ const express = require('express'); const router = express.Router(); +const csrf = require('csurf'); +const csrfProtection = csrf({cookie: true}); router.use('/api/v1', require('./api')); router.use('/admin', require('./admin')); router.use('/embed', require('./embed')); -router.get('/', (req, res) => { +router.get('/', csrfProtection, (req, res) => { return res.render('article', { title: 'Coral Talk', - basePath: '/client/embed/stream' + basePath: '/client/embed/stream', + csrfToken: req.csrfToken() }); }); -router.get('/assets/:asset_title', (req, res) => { +router.get('/assets/:asset_title', csrfProtection, (req, res) => { return res.render('article', { title: req.params.asset_title.split('-').join(' '), - basePath: '/client/embed/stream' + basePath: '/client/embed/stream', + csrfToken: req.csrfToken() }); });