From 54d0096dd1264c66a035d5a33d27e69db2811cfe Mon Sep 17 00:00:00 2001 From: gaba Date: Thu, 22 Dec 2016 14:17:09 -0800 Subject: [PATCH] More CSRF in forms. --- client/coral-admin/src/actions/auth.js | 13 ++++++++++--- client/coral-admin/src/actions/comments.js | 4 ++-- client/coral-admin/src/components/CommentBox.js | 6 +++--- client/coral-admin/src/constants/auth.js | 2 ++ .../src/containers/CommentStream/CommentStream.js | 9 +++++---- client/coral-admin/src/reducers/auth.js | 6 +++++- client/coral-embed-stream/src/CommentStream.js | 7 +++++-- client/coral-framework/actions/auth.js | 4 +++- client/coral-plugin-commentbox/CommentBox.js | 8 +++++--- routes/api/auth/index.js | 5 ++++- 10 files changed, 44 insertions(+), 20 deletions(-) diff --git a/client/coral-admin/src/actions/auth.js b/client/coral-admin/src/actions/auth.js index 54763259d..281f87409 100644 --- a/client/coral-admin/src/actions/auth.js +++ b/client/coral-admin/src/actions/auth.js @@ -10,13 +10,20 @@ const checkLoginFailure = error => ({type: actions.CHECK_LOGIN_FAILURE, error}); export const checkLogin = () => dispatch => { dispatch(checkLoginRequest()); coralApi('/auth') - .then(user => { - const isAdmin = !!user.roles.filter(i => i === 'admin').length; - dispatch(checkLoginSuccess(user, isAdmin)); + .then(result => { + if (result.csrfToken !== null) { + dispatch(checkCSRFToken(result.csrfToken)); + } + + const isAdmin = !!result.user.roles.filter(i => i === 'admin').length; + dispatch(checkLoginSuccess(result.user, isAdmin)); }) .catch(error => dispatch(checkLoginFailure(error))); }; +// Set CSRF Token +export const checkCSRFToken = (csrfToken) => ({type: actions.CHECK_CSRF_TOKEN, csrfToken}); + // LogOut Actions const logOutRequest = () => ({type: actions.LOGOUT_REQUEST}); diff --git a/client/coral-admin/src/actions/comments.js b/client/coral-admin/src/actions/comments.js index e755f1ed1..6014979b1 100644 --- a/client/coral-admin/src/actions/comments.js +++ b/client/coral-admin/src/actions/comments.js @@ -31,9 +31,9 @@ export const fetchModerationQueueComments = () => { }; // Create a new comment -export const createComment = (name, body) => { +export const createComment = (name, body, _csrf) => { return dispatch => { - const comment = {body, name}; + const comment = {body, name, _csrf}; return coralApi('/comments', {method: 'POST', comment}) .then(res => dispatch({type: commentActions.COMMENT_CREATE_SUCCESS, comment: res})) .catch(error => dispatch({type: commentActions.COMMENT_CREATE_FAILED, error})); diff --git a/client/coral-admin/src/components/CommentBox.js b/client/coral-admin/src/components/CommentBox.js index ce3438960..ff53d61b4 100644 --- a/client/coral-admin/src/components/CommentBox.js +++ b/client/coral-admin/src/components/CommentBox.js @@ -7,13 +7,13 @@ import {Button} from 'react-mdl'; export default class CommentBox extends React.Component { constructor (props) { super(props); - this.state = {name: '', body: ''}; + this.state = {name: '', body: '', csrfToken: props.csrfToken}; this.onSubmit = this.onSubmit.bind(this); } onSubmit () { - const {name, body} = this.state; - this.props.onSubmit({name, body}); + const {name, body, csrfToken} = this.state; + this.props.onSubmit({name, body, csrfToken}); this.setState({body: '', name: ''}); } diff --git a/client/coral-admin/src/constants/auth.js b/client/coral-admin/src/constants/auth.js index c6cb6c944..f77deb670 100644 --- a/client/coral-admin/src/constants/auth.js +++ b/client/coral-admin/src/constants/auth.js @@ -2,6 +2,8 @@ export const CHECK_LOGIN_REQUEST = 'CHECK_LOGIN_REQUEST'; export const CHECK_LOGIN_SUCCESS = 'CHECK_LOGIN_SUCCESS'; export const CHECK_LOGIN_FAILURE = 'CHECK_LOGIN_FAILURE'; +export const CHECK_CSRF_TOKEN = 'CHECK_CSRF_TOKEN'; + export const LOGOUT_REQUEST = 'LOGOUT_REQUEST'; export const LOGOUT_SUCCESS = 'LOGOUT_SUCCESS'; export const LOGOUT_FAILURE = 'LOGOUT_FAILURE'; diff --git a/client/coral-admin/src/containers/CommentStream/CommentStream.js b/client/coral-admin/src/containers/CommentStream/CommentStream.js index 556e50463..ee8d0e512 100644 --- a/client/coral-admin/src/containers/CommentStream/CommentStream.js +++ b/client/coral-admin/src/containers/CommentStream/CommentStream.js @@ -14,7 +14,8 @@ import CommentBox from 'components/CommentBox'; class CommentStream extends React.Component { constructor (props) { super(props); - this.state = {snackbar: false, snackbarMsg: ''}; + console.log('PROPS IN COMMENTSTREAM ', props); + this.state = {snackbar: false, snackbarMsg: '', csrfToken: props.csrfToken}; this.onSubmit = this.onSubmit.bind(this); this.onClickAction = this.onClickAction.bind(this); } @@ -25,8 +26,8 @@ class CommentStream extends React.Component { } // Submit the new comment - onSubmit (comment) { - this.props.dispatch(createComment(comment.name, comment.body)); + onSubmit (comment, csrfToken) { + this.props.dispatch(createComment(comment.name, comment.body, csrfToken)); } // The only action for now is flagging @@ -43,7 +44,7 @@ class CommentStream extends React.Component { render ({comments, users}, {snackbar, snackbarMsg}) { return (
- + + charCount={charCountEnable && charCount} + csrfToken={csrfToken}/>
:

{closedMessage}

@@ -204,6 +205,7 @@ class CommentStream extends Component { premod={moderation} currentUser={user} charCount={charCountEnable && charCount} + csrfToken={csrfToken} showReply={comment.showReply}/> { comment.children && @@ -264,6 +266,7 @@ class CommentStream extends Component { banned={banned} currentUser={user} charCount={charCountEnable && charCount} + csrfToken={csrfToken} showReply={reply.showReply}/> ; }) @@ -316,7 +319,7 @@ const mapStateToProps = state => ({ const mapDispatchToProps = (dispatch) => ({ addItem: (item, item_id) => dispatch(addItem(item, item_id)), updateItem: (id, property, value, itemType) => dispatch(updateItem(id, property, value, itemType)), - postItem: (data, type, id) => dispatch(postItem(data, type, id)), + postItem: (data, type, id, csrfToken) => dispatch(postItem(data, type, id, csrfToken)), getStream: (rootId) => dispatch(getStream(rootId)), addNotification: (type, text) => dispatch(addNotification(type, text)), clearNotification: () => dispatch(clearNotification()), diff --git a/client/coral-framework/actions/auth.js b/client/coral-framework/actions/auth.js index 27f432c37..1c58be02f 100644 --- a/client/coral-framework/actions/auth.js +++ b/client/coral-framework/actions/auth.js @@ -24,10 +24,10 @@ const signInSuccess = (user, isAdmin) => ({type: actions.FETCH_SIGNIN_SUCCESS, u const signInFailure = error => ({type: actions.FETCH_SIGNIN_FAILURE, error}); export const fetchSignIn = (formData) => dispatch => { - console.log('DEBUG FORMDATA', formData); dispatch(signInRequest()); coralApi('/auth/local', {method: 'POST', body: formData}) .then(({user}) => { + console.log('DEBUG FORMDATA ', formData); const isAdmin = !!user.roles.filter(i => i === 'admin').length; dispatch(signInSuccess(user, isAdmin)); dispatch(hideSignInDialog()); @@ -127,7 +127,9 @@ export const checkLogin = () => dispatch => { dispatch(checkLoginRequest()); coralApi('/auth') .then((result) => { + console.log('debug 1 result ', result); if (result.csrfToken !== null) { + console.log('DEBUG 2 TOKEN', result.csrfToken); dispatch(checkCSRFToken(result.csrfToken)); } diff --git a/client/coral-plugin-commentbox/CommentBox.js b/client/coral-plugin-commentbox/CommentBox.js index fe67b22e0..1d02df5bf 100644 --- a/client/coral-plugin-commentbox/CommentBox.js +++ b/client/coral-plugin-commentbox/CommentBox.js @@ -14,7 +14,8 @@ class CommentBox extends Component { comments: PropTypes.array, reply: PropTypes.bool, canPost: PropTypes.bool, - currentUser: PropTypes.object + currentUser: PropTypes.object, + csrfToken: PropTypes.string } state = { @@ -32,7 +33,8 @@ class CommentBox extends Component { addNotification, appendItemArray, premod, - author + author, + csrfToken } = this.props; let comment = { @@ -57,7 +59,7 @@ class CommentBox extends Component { if (this.props.charCount && this.state.body.length > this.props.charCount) { return; } - postItem(comment, 'comments') + postItem(comment, 'comments', csrfToken) .then((postedComment) => { const commentId = postedComment.id; if (postedComment.status === 'rejected') { diff --git a/routes/api/auth/index.js b/routes/api/auth/index.js index 5b84cb973..87c66cc5a 100644 --- a/routes/api/auth/index.js +++ b/routes/api/auth/index.js @@ -16,9 +16,12 @@ const parseForm = bodyParser.urlencoded({extended: false}); * This returns the user if they are logged in. */ router.get('/', csrfProtection, (req, res, next) => { + + console.log('DEBUT WHAT IS GOING ?', req.user); if (req.user) { return next(); } + console.log('it has the user but what the hek?'); // When there is no user on the request, then just send back the CSRF token. res.json({csrfToken: req.csrfToken()}); @@ -87,7 +90,7 @@ const HandleAuthPopupCallback = (req, res, next) => (err, user) => { * Local auth endpoint, will recieve a email and password */ router.post('/local', parseForm, csrfProtection, (req, res, next) => { - + // Perform the local authentication. passport.authenticate('local', HandleAuthCallback(req, res, next))(req, res, next); });