diff --git a/.gitignore b/.gitignore index c76651868..666223666 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ dump.rdb .env gaba.cfg .idea/ +coverage/ diff --git a/app.js b/app.js index 15a7a5442..226b0c1ec 100644 --- a/app.js +++ b/app.js @@ -7,6 +7,7 @@ const passport = require('./services/passport'); const session = require('express-session'); const RedisStore = require('connect-redis')(session); const redis = require('./services/redis'); +const cookieParser = require('cookie-parser'); const app = express(); @@ -64,6 +65,11 @@ if (app.get('env') === 'production') { app.use(session(session_opts)); +//============================================================================== +// AUTHENTICATION TOKEN MIDDLEWARE +//============================================================================== +app.use(cookieParser()); + //============================================================================== // PASSPORT MIDDLEWARE //============================================================================== diff --git a/client/coral-plugin-csrf/FormCSRF.js b/client/coral-plugin-csrf/FormCSRF.js new file mode 100644 index 000000000..8fddcae40 --- /dev/null +++ b/client/coral-plugin-csrf/FormCSRF.js @@ -0,0 +1,11 @@ +import React from 'react'; + +export const FormCSRFInput = React.createClass({ + render() { + const token = ''; //$('meta[name="csrf-token"]').attr('content'); + + return ( + + ); + } +}); diff --git a/package.json b/package.json index 33b21f0da..0bbcb18de 100644 --- a/package.json +++ b/package.json @@ -90,6 +90,8 @@ "chai": "^3.5.0", "chai-http": "^3.0.0", "copy-webpack-plugin": "^4.0.0", + "cookie-parser": "^1.4.3", + "csurf": "^1.9.0", "css-loader": "^0.25.0", "dialog-polyfill": "^0.4.4", "eslint": "^3.12.1", @@ -120,8 +122,8 @@ "pre-git": "^3.10.0", "precss": "^1.4.0", "pym.js": "^1.1.1", - "react": "15.3.2", - "react-dom": "15.3.2", + "react": "^15.3.2", + "react-dom": "^15.3.2", "react-linkify": "^0.1.3", "react-mdl": "^1.7.2", "react-mdl-selectfield": "^0.2.0", diff --git a/routes/admin/index.js b/routes/admin/index.js index 03852c375..83196f46b 100644 --- a/routes/admin/index.js +++ b/routes/admin/index.js @@ -1,16 +1,22 @@ const express = require('express'); const router = express.Router(); +const csrf = require('csurf'); +//const bodyParser = require('body-parser'); + +// setup route middlewares for CSRF protection +const csrfProtection = csrf({cookie: true}); +//const parseForm = bodyParser.urlencoded({ extended: false }); // Get /password-reset expects a signed token (JWT) in the hash. // Links to this endpoint are generated by /views/password-reset-email.ejs. -router.get('/password-reset', (req, res, next) => { +router.get('/password-reset', csrfProtection, (req, res, next) => { // TODO: store the redirect uri in the token or something fancy. // admins and regular users should probably be redirected to different places. - res.render('password-reset', {redirectUri: process.env.TALK_ROOT_URL}); + res.render('password-reset', {redirectUri: process.env.TALK_ROOT_URL, csrfToken: req.csrfToken()}); }); -router.get('*', (req, res) => { - res.render('admin', {basePath: '/client/coral-admin'}); +router.get('*', csrfProtection, (req, res) => { + res.render('admin', {basePath: '/client/coral-admin', csrfToken: req.csrfToken()}); }); module.exports = router;