Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: require csrf token if not using bearer token

Browse Source
This commit is contained in:
Julian Lam
2020-10-13 16:58:44 -04:00
parent 30b3fedca4
commit 1e07886f30
3 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
public/src/modules/api.js
View File

@@ -5,7 +5,11 @@ define('api', () => {
const baseUrl = config.relative_path + '/api/v3'; const baseUrl = config.relative_path + '/api/v3';
function call(options, onSuccess, onError) { function call(options, onSuccess, onError) {
$.ajax(options) $.ajax(Object.assign({
headers: {
'x-csrf-token': config.csrf_token,
},
}, options))
.done((res) => { .done((res) => {
if (onSuccess) { if (onSuccess) {
onSuccess(res.response); onSuccess(res.response);

1
src/middleware/index.js
View File

@@ -48,6 +48,7 @@ middleware.applyCSRF = function (req, res, next) {
next(); next();
} }
}; };
middleware.applyCSRFasync = util.promisify(middleware.applyCSRF);
middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login'); middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');

4
src/middleware/user.js
View File

@@ -34,6 +34,10 @@ module.exports = function (middleware) {
const loginAsync = util.promisify(req.login).bind(req); const loginAsync = util.promisify(req.login).bind(req);
if (req.loggedIn) { if (req.loggedIn) {
if (res.locals.isAPI) {
await middleware.applyCSRFasync(req, res);
}
return true; return true;
} else if (req.headers.hasOwnProperty('authorization')) { } else if (req.headers.hasOwnProperty('authorization')) {
const user = await passportAuthenticateAsync(req, res); const user = await passportAuthenticateAsync(req, res);