Merge pull request #114 from GeneralZero/patch-3

CSRF token to headers for AJAX POST. Fix for #113
2014-03-28 19:06:18 -04:00 · 2014-03-28 19:06:18 -04:00 · 04d8a45233
parent a49ee82150 6aef38c550
commit 04d8a45233
11 changed files with 13 additions and 12 deletions
--- a/app.js
+++ b/app.js
@ -77,7 +77,7 @@ app.use(passport.initialize());
 app.use(passport.session());
 app.use(function(req, res, next) {
  res.locals.user = req.user;
-  res.locals.token = req.csrfToken();
+  res.locals._csrf = req.csrfToken();
  res.locals.secrets = secrets;
  next();
 });
--- a/views/account/forgot.jade
+++ b/views/account/forgot.jade
@ -4,7 +4,7 @@ block content
  .col-sm-8.col-sm-offset-2
    form(method='POST')
      legend Forgot Password
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
      .form-group
        p Enter your email address below and we will send you password reset instructions.
        label.control-label(for='email') Email
--- a/views/account/login.jade
+++ b/views/account/login.jade
@ -3,7 +3,7 @@ extends ../layout
 block content
  form(method='POST')
    legend Sign In
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
    .col-sm-8.col-sm-offset-2
      if secrets.localAuth
        .form-group
@ -37,4 +37,4 @@ block content
      if secrets.linkedinAuth
        a.btn.btn-block.btn-linkedin.btn-social(href='/auth/linkedin')
          i.fa.fa-linkedin
-          | Sign in with LinkedIn
+          | Sign in with LinkedIn
--- a/views/account/profile.jade
+++ b/views/account/profile.jade
@ -5,7 +5,7 @@ block content
    h3 Profile Information

  form.form-horizontal(action='/account/profile', method='POST')
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
    .form-group
      label.col-sm-2.control-label(for='email') Email
      .col-sm-4
@ -47,7 +47,7 @@ block content
      h3 Change Password

    form.form-horizontal(action='/account/password', method='POST')
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
      .form-group
        label.col-sm-3.control-label(for='password') New Password
        .col-sm-4
--- a/views/account/reset.jade
+++ b/views/account/reset.jade
@ -4,7 +4,7 @@ block content
  .col-sm-8.col-sm-offset-2
    form(method='POST')
      legend Reset Password
-      input(type='hidden', name='_csrf', value=token)
+      input(type='hidden', name='_csrf', value=_csrf)
      .form-group
        label(for='password') New Password
        input.form-control(type='password', name='password', value='', placeholder='New password', autofocus=true)
--- a/views/account/signup.jade
+++ b/views/account/signup.jade
@ -2,7 +2,7 @@ extends ../layout

 block content
  form.form-horizontal(id='signup-form', method='POST')
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
    legend Signup
    .form-group
      label.col-sm-3.control-label(for='email') Email
--- a/views/api/clockwork.jade
+++ b/views/api/clockwork.jade
@ -18,7 +18,7 @@ block content
  .row
    .col-sm-6
      form(role='form', method='POST')
-        input(type='hidden', name='_csrf', value=token)
+        input(type='hidden', name='_csrf', value=_csrf)
        .form-group
          .input-group
            input.form-control(type='text', name='telephone', placeholder='Phone Number (international format)')
--- a/views/api/twilio.jade
+++ b/views/api/twilio.jade
@ -21,7 +21,7 @@ block content
  .row
    .col-sm-6
      form(role='form', method='POST')
-        input(type='hidden', name='_csrf', value=token)
+        input(type='hidden', name='_csrf', value=_csrf)
        .form-group
          .input-group
            input.form-control(type='text', name='telephone', placeholder='Phone Number')
--- a/views/api/venmo.jade
+++ b/views/api/venmo.jade
@ -42,7 +42,7 @@ block content
    .col-sm-5
      h3 Make Payment
      form(role='form', method='POST')
-        input(type='hidden', name='_csrf', value=token)
+        input(type='hidden', name='_csrf', value=_csrf)
        .form-group
          label.control-label(for='user') Phone, Email or Venmo User ID
          input.form-control(type='text', name='user', id='user', placeholder='15555555555', autofocus=true)
--- a/views/contact.jade
+++ b/views/contact.jade
@ -5,7 +5,7 @@ block content
    h3 Contact Form

  form.form-horizontal(role='form', method='POST')
-    input(type='hidden', name='_csrf', value=token)
+    input(type='hidden', name='_csrf', value=_csrf)
    .form-group
      label(class='col-sm-2 control-label', for='name') Name
      .col-sm-8
--- a/views/layout.jade
+++ b/views/layout.jade
@ -5,6 +5,7 @@ html
    meta(http-equiv='X-UA-Compatible', content='IE=edge')
    meta(name='viewport', content='width=device-width, initial-scale=1.0')
    meta(name='description', content='')
+    meta(name='csrf-token', content=_csrf)
    meta(name='author', content='')
    title #{title} | Hackathon Starter
    != css('styles')