mirror of
https://github.com/wassname/talk.git
synced 2026-07-08 10:39:51 +08:00
Adds csurf to and cookie-parser to manage CRSF protection.
This commit is contained in:
@@ -11,3 +11,4 @@ dump.rdb
|
||||
.env
|
||||
gaba.cfg
|
||||
.idea/
|
||||
coverage/
|
||||
|
||||
@@ -7,6 +7,7 @@ const passport = require('./services/passport');
|
||||
const session = require('express-session');
|
||||
const RedisStore = require('connect-redis')(session);
|
||||
const redis = require('./services/redis');
|
||||
const cookieParser = require('cookie-parser');
|
||||
|
||||
const app = express();
|
||||
|
||||
@@ -64,6 +65,11 @@ if (app.get('env') === 'production') {
|
||||
|
||||
app.use(session(session_opts));
|
||||
|
||||
//==============================================================================
|
||||
// AUTHENTICATION TOKEN MIDDLEWARE
|
||||
//==============================================================================
|
||||
app.use(cookieParser());
|
||||
|
||||
//==============================================================================
|
||||
// PASSPORT MIDDLEWARE
|
||||
//==============================================================================
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
import React from 'react';
|
||||
|
||||
export const FormCSRFInput = React.createClass({
|
||||
render() {
|
||||
const token = ''; //$('meta[name="csrf-token"]').attr('content');
|
||||
|
||||
return (
|
||||
<input type="hidden" name="authenticity_token" value={token} readOnly={true} />
|
||||
);
|
||||
}
|
||||
});
|
||||
+4
-2
@@ -90,6 +90,8 @@
|
||||
"chai": "^3.5.0",
|
||||
"chai-http": "^3.0.0",
|
||||
"copy-webpack-plugin": "^4.0.0",
|
||||
"cookie-parser": "^1.4.3",
|
||||
"csurf": "^1.9.0",
|
||||
"css-loader": "^0.25.0",
|
||||
"dialog-polyfill": "^0.4.4",
|
||||
"eslint": "^3.12.1",
|
||||
@@ -120,8 +122,8 @@
|
||||
"pre-git": "^3.10.0",
|
||||
"precss": "^1.4.0",
|
||||
"pym.js": "^1.1.1",
|
||||
"react": "15.3.2",
|
||||
"react-dom": "15.3.2",
|
||||
"react": "^15.3.2",
|
||||
"react-dom": "^15.3.2",
|
||||
"react-linkify": "^0.1.3",
|
||||
"react-mdl": "^1.7.2",
|
||||
"react-mdl-selectfield": "^0.2.0",
|
||||
|
||||
+10
-4
@@ -1,16 +1,22 @@
|
||||
const express = require('express');
|
||||
const router = express.Router();
|
||||
const csrf = require('csurf');
|
||||
//const bodyParser = require('body-parser');
|
||||
|
||||
// setup route middlewares for CSRF protection
|
||||
const csrfProtection = csrf({cookie: true});
|
||||
//const parseForm = bodyParser.urlencoded({ extended: false });
|
||||
|
||||
// Get /password-reset expects a signed token (JWT) in the hash.
|
||||
// Links to this endpoint are generated by /views/password-reset-email.ejs.
|
||||
router.get('/password-reset', (req, res, next) => {
|
||||
router.get('/password-reset', csrfProtection, (req, res, next) => {
|
||||
// TODO: store the redirect uri in the token or something fancy.
|
||||
// admins and regular users should probably be redirected to different places.
|
||||
res.render('password-reset', {redirectUri: process.env.TALK_ROOT_URL});
|
||||
res.render('password-reset', {redirectUri: process.env.TALK_ROOT_URL, csrfToken: req.csrfToken()});
|
||||
});
|
||||
|
||||
router.get('*', (req, res) => {
|
||||
res.render('admin', {basePath: '/client/coral-admin'});
|
||||
router.get('*', csrfProtection, (req, res) => {
|
||||
res.render('admin', {basePath: '/client/coral-admin', csrfToken: req.csrfToken()});
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
Reference in New Issue
Block a user