From eb0332609cd2d3cc6c0489398ec7c06863b7f6fe Mon Sep 17 00:00:00 2001
From: Brian Ridings <bdrid001@gmail.com>
Date: Thu, 27 Mar 2014 14:09:13 -0400
Subject: [PATCH 1/6] CSRF token to headers for AJAX POST. Fix for #113

This is how you do a JS post with the CSRF Protection

```
$.ajax({
url: "http://test.com",
type:"post"
headers: {'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')}})
```
---
 views/layout.jade | 1 +
 1 file changed, 1 insertion(+)

diff --git a/views/layout.jade b/views/layout.jade
index b3980e41c47..71ac7ef9b04 100644
--- a/views/layout.jade
+++ b/views/layout.jade
@@ -5,6 +5,7 @@ html
     meta(http-equiv='X-UA-Compatible', content='IE=edge')
     meta(name='viewport', content='width=device-width, initial-scale=1.0')
     meta(name='description', content='')
+    meta(name='csrf-token', content=token)
     meta(name='author', content='')
     title #{title} | Hackathon Starter
     != css('styles')

From 05f7191c196d699bca152a766905ea4921dc8df1 Mon Sep 17 00:00:00 2001
From: Brian Ridings <bdrid001@gmail.com>
Date: Fri, 28 Mar 2014 10:37:16 -0400
Subject: [PATCH 2/6] Change token to _csrf

---
 app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 596278efcc1..d93e47bdf06 100755
--- a/app.js
+++ b/app.js
@@ -77,7 +77,7 @@ app.use(passport.initialize());
 app.use(passport.session());
 app.use(function(req, res, next) {
   res.locals.user = req.user;
-  res.locals.token = req.csrfToken();
+  res.locals._csrf = req.csrfToken();
   res.locals.secrets = secrets;
   next();
 });

From 9587150e7befef6a0741545050908044cf8a870f Mon Sep 17 00:00:00 2001
From: Brian Ridings <bdrid001@gmail.com>
Date: Fri, 28 Mar 2014 10:38:04 -0400
Subject: [PATCH 3/6] Change token to _csrf

---
 views/account/forgot.jade | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/views/account/forgot.jade b/views/account/forgot.jade
index 70029f16b82..a843a1e95bf 100644
--- a/views/account/forgot.jade
+++ b/views/account/forgot.jade
@@ -4,7 +4,7 @@ block content
   .col-sm-8.col-sm-offset-2
     form(method='POST')
       legend Forgot Password
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
       .form-group
         p Enter your email address below and we will send you password reset instructions.
         label.control-label(for='email') Email

From 205318ea4264cd8330a609f4242e0abf2f46e733 Mon Sep 17 00:00:00 2001
From: Brian Ridings <bdrid001@gmail.com>
Date: Fri, 28 Mar 2014 10:38:29 -0400
Subject: [PATCH 4/6] Change token to _csrf

---
 views/account/login.jade | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/views/account/login.jade b/views/account/login.jade
index 5869ee6a311..dd73045a278 100644
--- a/views/account/login.jade
+++ b/views/account/login.jade
@@ -3,7 +3,7 @@ extends ../layout
 block content
   form(method='POST')
     legend Sign In
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
     .col-sm-8.col-sm-offset-2
       if secrets.localAuth
         .form-group
@@ -37,4 +37,4 @@ block content
       if secrets.linkedinAuth
         a.btn.btn-block.btn-linkedin.btn-social(href='/auth/linkedin')
           i.fa.fa-linkedin
-          | Sign in with LinkedIn
\ No newline at end of file
+          | Sign in with LinkedIn

From f88a09081fe2ff148427a5b0e28cb7b01ce8e08d Mon Sep 17 00:00:00 2001
From: Brian Ridings <bdrid001@gmail.com>
Date: Fri, 28 Mar 2014 13:40:55 -0400
Subject: [PATCH 5/6] Changed Varable from token to _csrf

---
 views/account/forgot.jade  | 2 +-
 views/account/login.jade   | 2 +-
 views/account/profile.jade | 4 ++--
 views/account/reset.jade   | 2 +-
 views/account/signup.jade  | 2 +-
 views/api/clockwork.jade   | 2 +-
 views/api/twilio.jade      | 2 +-
 views/api/venmo.jade       | 2 +-
 views/contact.jade         | 2 +-
 views/layout.jade          | 1 +
 10 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/views/account/forgot.jade b/views/account/forgot.jade
index 70029f16b82..a843a1e95bf 100644
--- a/views/account/forgot.jade
+++ b/views/account/forgot.jade
@@ -4,7 +4,7 @@ block content
   .col-sm-8.col-sm-offset-2
     form(method='POST')
       legend Forgot Password
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
       .form-group
         p Enter your email address below and we will send you password reset instructions.
         label.control-label(for='email') Email
diff --git a/views/account/login.jade b/views/account/login.jade
index 5869ee6a311..5f827b49798 100644
--- a/views/account/login.jade
+++ b/views/account/login.jade
@@ -3,7 +3,7 @@ extends ../layout
 block content
   form(method='POST')
     legend Sign In
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
     .col-sm-8.col-sm-offset-2
       if secrets.localAuth
         .form-group
diff --git a/views/account/profile.jade b/views/account/profile.jade
index 047d077389a..39c73cb2d90 100644
--- a/views/account/profile.jade
+++ b/views/account/profile.jade
@@ -5,7 +5,7 @@ block content
     h3 Profile Information
 
   form.form-horizontal(action='/account/profile', method='POST')
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
     .form-group
       label.col-sm-2.control-label(for='email') Email
       .col-sm-4
@@ -47,7 +47,7 @@ block content
       h3 Change Password
 
     form.form-horizontal(action='/account/password', method='POST')
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
       .form-group
         label.col-sm-3.control-label(for='password') New Password
         .col-sm-4
diff --git a/views/account/reset.jade b/views/account/reset.jade
index 520642fad7a..ac5e88584b5 100644
--- a/views/account/reset.jade
+++ b/views/account/reset.jade
@@ -4,7 +4,7 @@ block content
   .col-sm-8.col-sm-offset-2
     form(method='POST')
       legend Reset Password
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
       .form-group
         label(for='password') New Password
         input.form-control(type='password', name='password', value='', placeholder='New password', autofocus=true)
diff --git a/views/account/signup.jade b/views/account/signup.jade
index a2a8be66810..ee8c0a0b2b3 100644
--- a/views/account/signup.jade
+++ b/views/account/signup.jade
@@ -2,7 +2,7 @@ extends ../layout
 
 block content
   form.form-horizontal(id='signup-form', method='POST')
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
     legend Signup
     .form-group
       label.col-sm-3.control-label(for='email') Email
diff --git a/views/api/clockwork.jade b/views/api/clockwork.jade
index 5b07fb9f1ba..1bff65240d0 100644
--- a/views/api/clockwork.jade
+++ b/views/api/clockwork.jade
@@ -18,7 +18,7 @@ block content
   .row
     .col-sm-6
       form(role='form', method='POST')
-        input(type='hidden', name='_csrf', value=token)
+        input(type='hidden', name='_csrf', value=_csrf)
         .form-group
           .input-group
             input.form-control(type='text', name='telephone', placeholder='Phone Number (international format)')
diff --git a/views/api/twilio.jade b/views/api/twilio.jade
index af529ed103d..e5e1cf035bd 100644
--- a/views/api/twilio.jade
+++ b/views/api/twilio.jade
@@ -21,7 +21,7 @@ block content
   .row
     .col-sm-6
       form(role='form', method='POST')
-        input(type='hidden', name='_csrf', value=token)
+        input(type='hidden', name='_csrf', value=_csrf)
         .form-group
           .input-group
             input.form-control(type='text', name='telephone', placeholder='Phone Number')
diff --git a/views/api/venmo.jade b/views/api/venmo.jade
index 46b8f12cfd0..9010b106934 100644
--- a/views/api/venmo.jade
+++ b/views/api/venmo.jade
@@ -42,7 +42,7 @@ block content
     .col-sm-5
       h3 Make Payment
       form(role='form', method='POST')
-        input(type='hidden', name='_csrf', value=token)
+        input(type='hidden', name='_csrf', value=_csrf)
         .form-group
           label.control-label(for='user') Phone, Email or Venmo User ID
           input.form-control(type='text', name='user', id='user', placeholder='15555555555', autofocus=true)
diff --git a/views/contact.jade b/views/contact.jade
index 2b8a3014345..cf54ffe8d02 100644
--- a/views/contact.jade
+++ b/views/contact.jade
@@ -5,7 +5,7 @@ block content
     h3 Contact Form
 
   form.form-horizontal(role='form', method='POST')
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
     .form-group
       label(class='col-sm-2 control-label', for='name') Name
       .col-sm-8
diff --git a/views/layout.jade b/views/layout.jade
index b3980e41c47..61769a96025 100644
--- a/views/layout.jade
+++ b/views/layout.jade
@@ -5,6 +5,7 @@ html
     meta(http-equiv='X-UA-Compatible', content='IE=edge')
     meta(name='viewport', content='width=device-width, initial-scale=1.0')
     meta(name='description', content='')
+    meta(name='csrf-token', content=_csrf)
     meta(name='author', content='')
     title #{title} | Hackathon Starter
     != css('styles')

From f6c4900b3b0d6001e2a7e8aaf48e9d2f9daa3e89 Mon Sep 17 00:00:00 2001
From: Brian Ridings <bdrid001@gmail.com>
Date: Fri, 28 Mar 2014 13:42:26 -0400
Subject: [PATCH 6/6] Changed Varable from token to _csrf

---
 app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 596278efcc1..d93e47bdf06 100755
--- a/app.js
+++ b/app.js
@@ -77,7 +77,7 @@ app.use(passport.initialize());
 app.use(passport.session());
 app.use(function(req, res, next) {
   res.locals.user = req.user;
-  res.locals.token = req.csrfToken();
+  res.locals._csrf = req.csrfToken();
   res.locals.secrets = secrets;
   next();
 });