Merge pull request #1 from GeneralZero/master

Changed Views to accept CSRF token
2014-02-03 10:10:43 -08:00 · 2014-02-03 10:10:43 -08:00 · ae2c6f7dce
parent 71f05d2852 c99c8fe1f8
commit ae2c6f7dce
5 changed files with 22 additions and 2 deletions
--- a/app.js
+++ b/app.js
@ -69,16 +69,18 @@ app.use(express.urlencoded());
 app.use(expressValidator());
 app.use(express.methodOverride());
 app.use(express.session({
-  secret: 'your secret code',
+  secret: secrets.sessionSecret,
  store: new MongoStore({
    db: mongoose.connection.db,
    auto_reconnect: true
  })
 }));
+app.use(express.csrf());
 app.use(passport.initialize());
 app.use(passport.session());
 app.use(function(req, res, next) {
  res.locals.user = req.user;
+  res.locals.token = req.csrfToken(); 
  next();
 });
 app.use(flash());
@ -90,6 +92,13 @@ app.use(function(req, res) {
 });
 app.use(express.errorHandler());

+/*Helper function for CSRF 
+app.dynamicHelpers({
+    token: function(req, res) {
+        return req.session._csrf;
+    }
+});*/
+
 /**
 * Application routes.
 */
--- a/views/account/login.jade
+++ b/views/account/login.jade
@ -24,6 +24,8 @@ block content
      .form-group
        label.control-label(for='username') Password
        input.form-control(type='password', name='password', id='password', placeholder='Password')
+      .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
      .form-group
        button.btn.btn-primary(type='submit')
          i.fa.fa-unlock-alt
--- a/views/account/profile.jade
+++ b/views/account/profile.jade
@ -30,12 +30,15 @@ block content
      label.col-xs-2.control-label(for='website') Website
      .col-xs-4
        input.form-control(type='text', name='website', id='website', value='#{user.profile.website}')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
    .form-group
      .col-xs-offset-2.col-xs-4
        button.btn.btn.btn-primary(type='submit') Update Profile



+
  .page-header
    h3 Change Password

@ -48,6 +51,8 @@ block content
      label.col-xs-3.control-label(for='confirmPassword') Confirm Password
      .col-xs-4
        input.form-control(type='password', name='confirmPassword', id='confirmPassword')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
    .form-group
      .col-xs-offset-3.col-xs-4
        button.btn.btn.btn-primary(type='submit') Change Password
@ -80,4 +85,4 @@ block content
  if user.github
    p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account
  else
-    p: a(href='/auth/github') Link your GitHub account
+    p: a(href='/auth/github') Link your GitHub account
--- a/views/account/signup.jade
+++ b/views/account/signup.jade
@ -15,6 +15,8 @@ block content
      label.col-sm-3.control-label(for='username') Confirm Password
      .col-sm-7
        input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
    .form-group
      .col-sm-offset-3.col-sm-7
        button.btn.btn-success(type='submit')
--- a/views/contact.jade
+++ b/views/contact.jade
@ -17,6 +17,8 @@ block content
      label(class='col-sm-2 control-label', for='contactBody') Body
      .col-sm-8
        textarea.form-control(type='text', name='message', id='message', rows='7')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
    .form-group
      .col-sm-offset-2.col-sm-8
        button.btn.btn-default(type='submit')