implementing express.csrf for login and register pages (the only places where HTTP forms are used). Fixes #8

2025-11-02 03:55:55 +01:00 · 2013-06-20 12:41:22 -04:00
parent fc4d3d849d
commit 59d26d6fc9
3 changed files with 14 additions and 4 deletions
--- a/public/templates/login.tpl
+++ b/public/templates/login.tpl
@@ -9,6 +9,7 @@
 		<form method="post" action="/login">
 			<label>Username</label><input type="text" placeholder="Enter Username" name="username" id="username" /><br />
 			<label>Password</label><input type="password" placeholder="Enter Password" name="password" id="password" /><br />
+			<input type="hidden" name="_csrf" value="{token}" />
 			<button class="btn btn-primary" id="login" type="submit">Login</button> &nbsp; <a href="/reset">Forgot Password?</a>
 		</form>
 	</div>
--- a/public/templates/register.tpl
+++ b/public/templates/register.tpl
@@ -5,6 +5,7 @@
 			<label for="email">Email Address</label><input type="email" name="email" placeholder="Enter Email Address" id="email" /> <span id="email-notify" class="label label-important"></span><br />
 			<label for="username">Username</label><input type="text" name="username" placeholder="Enter Username" id="username" /> <span id="username-notify" class="label label-success"></span> <br />
 			<label for="password">Password</label><input type="password" name="password" placeholder="Enter Password" id="password" /> <span id="password-notify" class="label label-important"></span> <br />
+			<input type="hidden" name="_csrf" value="{token}" />
 			<button class="btn btn-primary" id="register" type="submit">Register Now</button>
 		</form>
 	</div>
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -44,7 +44,11 @@ var express = require('express'),
 		secret: global.config.secret,
 		key: 'express.sid'
 	}));
-
+	app.use(express.csrf());
+	app.use(function(req, res, next) {
+		res.locals.csrf_token = req.session._csrf;
+		next();
+	});

 	module.exports.init = function() {
 		templates = global.templates;
@@ -204,6 +208,8 @@ var express = require('express'),
 						}
 					}

+					data.token = res.locals.csrf_token;
+
 					res.send(JSON.stringify(data));
 				break;
 			case 'register' :
@@ -226,6 +232,8 @@ var express = require('express'),
 						}
 					}

+					data.token = res.locals.csrf_token;
+
 					res.send(JSON.stringify(data));
 				break;
 			case 'topic' :
@@ -282,10 +290,10 @@ var express = require('express'),
 	app.get('/api/:method/:id/:section?', api_method);
 	app.get('/api/:method/:id*', api_method);

-	app.get('/test', function(req, res) {
-		var ThreadTools = require('./threadTools.js');
-		ThreadTools.notify_followers(3);
+	app.all('/test', function(req, res) {
 		res.send();
+		// console.log('CSRF is: ', res.locals.token);
+		// res.send('<form method="POST" action="/test"><input type="hidden" name="_csrf" value="' + res.locals.token + '" /><button type="submit">go</button></form>');
 	});