Adds csurf to and cookie-parser to manage CRSF protection.

This commit is contained in:
gaba
2016-12-15 12:56:34 -08:00
parent 7ef75fa92c
commit fc042779c2
5 changed files with 32 additions and 6 deletions
+1
View File
@@ -11,3 +11,4 @@ dump.rdb
.env
gaba.cfg
.idea/
coverage/
+6
View File
@@ -7,6 +7,7 @@ const passport = require('./services/passport');
const session = require('express-session');
const RedisStore = require('connect-redis')(session);
const redis = require('./services/redis');
const cookieParser = require('cookie-parser');
const app = express();
@@ -64,6 +65,11 @@ if (app.get('env') === 'production') {
app.use(session(session_opts));
//==============================================================================
// AUTHENTICATION TOKEN MIDDLEWARE
//==============================================================================
app.use(cookieParser());
//==============================================================================
// PASSPORT MIDDLEWARE
//==============================================================================
+11
View File
@@ -0,0 +1,11 @@
import React from 'react';
export const FormCSRFInput = React.createClass({
render() {
const token = ''; //$('meta[name="csrf-token"]').attr('content');
return (
<input type="hidden" name="authenticity_token" value={token} readOnly={true} />
);
}
});
+4 -2
View File
@@ -90,6 +90,8 @@
"chai": "^3.5.0",
"chai-http": "^3.0.0",
"copy-webpack-plugin": "^4.0.0",
"cookie-parser": "^1.4.3",
"csurf": "^1.9.0",
"css-loader": "^0.25.0",
"dialog-polyfill": "^0.4.4",
"eslint": "^3.12.1",
@@ -120,8 +122,8 @@
"pre-git": "^3.10.0",
"precss": "^1.4.0",
"pym.js": "^1.1.1",
"react": "15.3.2",
"react-dom": "15.3.2",
"react": "^15.3.2",
"react-dom": "^15.3.2",
"react-linkify": "^0.1.3",
"react-mdl": "^1.7.2",
"react-mdl-selectfield": "^0.2.0",
+10 -4
View File
@@ -1,16 +1,22 @@
const express = require('express');
const router = express.Router();
const csrf = require('csurf');
//const bodyParser = require('body-parser');
// setup route middlewares for CSRF protection
const csrfProtection = csrf({cookie: true});
//const parseForm = bodyParser.urlencoded({ extended: false });
// Get /password-reset expects a signed token (JWT) in the hash.
// Links to this endpoint are generated by /views/password-reset-email.ejs.
router.get('/password-reset', (req, res, next) => {
router.get('/password-reset', csrfProtection, (req, res, next) => {
// TODO: store the redirect uri in the token or something fancy.
// admins and regular users should probably be redirected to different places.
res.render('password-reset', {redirectUri: process.env.TALK_ROOT_URL});
res.render('password-reset', {redirectUri: process.env.TALK_ROOT_URL, csrfToken: req.csrfToken()});
});
router.get('*', (req, res) => {
res.render('admin', {basePath: '/client/coral-admin'});
router.get('*', csrfProtection, (req, res) => {
res.render('admin', {basePath: '/client/coral-admin', csrfToken: req.csrfToken()});
});
module.exports = router;