From 8c0981a1d69c6819f298534249185bf88f2a2ff8 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 12:21:41 -0500 Subject: [PATCH 1/3] Move session secret in to config Secret file --- app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.js b/app.js index dbd924acdfc..6390a26109b 100755 --- a/app.js +++ b/app.js @@ -68,7 +68,7 @@ app.use(express.urlencoded()); app.use(expressValidator()); app.use(express.methodOverride()); app.use(express.session({ - secret: 'your secret code', + secret: secrets.sessionSecret, store: new MongoStore({ db: mongoose.connection.db, auto_reconnect: true From f9ec861151f477b861d783b058bc0a1dea9e30b9 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:02:24 -0500 Subject: [PATCH 2/3] Added CSRF Protection to all form views --- app.js | 9 +++++++++ views/account/login.jade | 2 ++ views/account/profile.jade | 5 +++++ views/account/signup.jade | 2 ++ views/contact.jade | 2 ++ 5 files changed, 20 insertions(+) diff --git a/app.js b/app.js index 6390a26109b..41c9d9e4ae0 100755 --- a/app.js +++ b/app.js @@ -74,10 +74,12 @@ app.use(express.session({ auto_reconnect: true }) })); +app.use(express.csrf()); app.use(passport.initialize()); app.use(passport.session()); app.use(function(req, res, next) { res.locals.user = req.user; + res.locals.token = req.csrfToken(); next(); }); app.use(flash()); @@ -89,6 +91,13 @@ app.use(function(req, res) { }); app.use(express.errorHandler()); +/*Helper function for CSRF +app.dynamicHelpers({ + token: function(req, res) { + return req.session._csrf; + } +});*/ + /** * Application routes. */ diff --git a/views/account/login.jade b/views/account/login.jade index db1ebe02bd0..23ea7cd3db4 100644 --- a/views/account/login.jade +++ b/views/account/login.jade @@ -24,6 +24,8 @@ block content .form-group label.control-label(for='username') Password input.form-control(type='password', name='password', id='password', placeholder='Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group button.btn.btn-primary(type='submit') i.fa.fa-unlock-alt diff --git a/views/account/profile.jade b/views/account/profile.jade index ef2ba7a1921..e8504962b8b 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -30,12 +30,15 @@ block content label.col-xs-2.control-label(for='website') Website .col-xs-4 input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-2.col-xs-4 button.btn.btn.btn-primary(type='submit') Update Profile + .page-header h3 Change Password @@ -48,6 +51,8 @@ block content label.col-xs-3.control-label(for='confirmPassword') Confirm Password .col-xs-4 input.form-control(type='password', name='confirmPassword', id='confirmPassword') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-3.col-xs-4 button.btn.btn.btn-primary(type='submit') Change Password diff --git a/views/account/signup.jade b/views/account/signup.jade index f88ebc483a2..0d6e8aa7dd3 100644 --- a/views/account/signup.jade +++ b/views/account/signup.jade @@ -15,6 +15,8 @@ block content label.col-sm-3.control-label(for='username') Confirm Password .col-sm-7 input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-3.col-sm-7 button.btn.btn-success(type='submit') diff --git a/views/contact.jade b/views/contact.jade index 9e66769df61..c846ead9114 100644 --- a/views/contact.jade +++ b/views/contact.jade @@ -17,6 +17,8 @@ block content label(class='col-sm-2 control-label', for='contactBody') Body .col-sm-8 textarea.form-control(type='text', name='message', id='message', rows='7') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-2.col-sm-8 button.btn.btn-default(type='submit') From c99c8fe1f8487590b3d1b54d734d982546cdb239 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:08:34 -0500 Subject: [PATCH 3/3] Changed Views to accept CSRF token --- app.js | 2 +- views/account/login.jade | 2 +- views/account/profile.jade | 6 +++--- views/account/signup.jade | 2 +- views/contact.jade | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app.js b/app.js index 41c9d9e4ae0..4d2e73c67b3 100755 --- a/app.js +++ b/app.js @@ -79,7 +79,7 @@ app.use(passport.initialize()); app.use(passport.session()); app.use(function(req, res, next) { res.locals.user = req.user; - res.locals.token = req.csrfToken(); + res.locals.token = req.csrfToken(); next(); }); app.use(flash()); diff --git a/views/account/login.jade b/views/account/login.jade index 23ea7cd3db4..48467587a9e 100644 --- a/views/account/login.jade +++ b/views/account/login.jade @@ -25,7 +25,7 @@ block content label.control-label(for='username') Password input.form-control(type='password', name='password', id='password', placeholder='Password') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group button.btn.btn-primary(type='submit') i.fa.fa-unlock-alt diff --git a/views/account/profile.jade b/views/account/profile.jade index e8504962b8b..a47a2eb4c3c 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -31,7 +31,7 @@ block content .col-xs-4 input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-2.col-xs-4 button.btn.btn.btn-primary(type='submit') Update Profile @@ -52,7 +52,7 @@ block content .col-xs-4 input.form-control(type='password', name='confirmPassword', id='confirmPassword') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-3.col-xs-4 button.btn.btn.btn-primary(type='submit') Change Password @@ -85,4 +85,4 @@ block content if user.github p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account else - p: a(href='/auth/github') Link your GitHub account + p: a(href='/auth/github') Link your GitHub account \ No newline at end of file diff --git a/views/account/signup.jade b/views/account/signup.jade index 0d6e8aa7dd3..8fdc9f7d723 100644 --- a/views/account/signup.jade +++ b/views/account/signup.jade @@ -16,7 +16,7 @@ block content .col-sm-7 input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-3.col-sm-7 button.btn.btn-success(type='submit') diff --git a/views/contact.jade b/views/contact.jade index c846ead9114..0aad1900687 100644 --- a/views/contact.jade +++ b/views/contact.jade @@ -18,7 +18,7 @@ block content .col-sm-8 textarea.form-control(type='text', name='message', id='message', rows='7') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-2.col-sm-8 button.btn.btn-default(type='submit')