Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: move the check to get methods

Browse Source 
all .post methods will have csrf
This commit is contained in:
Barış Soner Uşaklı
2018-12-14 23:38:05 -05:00
parent fbe6ccd773
commit 99e0895e99
4 changed files with 42 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/middleware/header.js
View File

@@ -26,7 +26,11 @@ module.exports = function (middleware) {
res.locals.isAPI = false; res.locals.isAPI = false;
async.waterfall([ async.waterfall([
function (next) { function (next) {
middleware.applyCSRF(req, res, next); if (!req.isSpider()) {
middleware.applyCSRF(req, res, next);
} else {
setImmediate(next);
}
}, },
function (next) { function (next) {
async.parallel({ async.parallel({

10
src/middleware/index.js
View File

@@ -32,15 +32,7 @@ middleware.regexes = {
timestampedUpload: /^\d+-.+$/, timestampedUpload: /^\d+-.+$/,
}; };
const csrfMiddleware = csrf(); middleware.applyCSRF = csrf();
middleware.applyCSRF = function (req, res, next) {
if (req.uid >= 0) {
csrfMiddleware(req, res, next);
} else {
setImmediate(next);
}
};
middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login'); middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');

8
src/routes/api.js
View File

@@ -8,7 +8,13 @@ module.exports = function (app, middleware, controllers) {
var router = express.Router(); var router = express.Router();
app.use('/api', router); app.use('/api', router);
router.get('/config', middleware.applyCSRF, controllers.api.getConfig); router.get('/config', function (req, res, next) {
if (!req.isSpider()) {
middleware.applyCSRF(req, res, next);
} else {
setImmediate(next);
}
}, controllers.api.getConfig);
router.get('/me', middleware.checkGlobalPrivacySettings, controllers.user.getCurrentUser); router.get('/me', middleware.checkGlobalPrivacySettings, controllers.user.getCurrentUser);
router.get('/user/uid/:uid', middleware.checkGlobalPrivacySettings, controllers.user.getUserByUID); router.get('/user/uid/:uid', middleware.checkGlobalPrivacySettings, controllers.user.getUserByUID);

29
test/controllers.js
View File

@@ -60,6 +60,35 @@ describe('Controllers', function () {
}); });
}); });
it('should load /config with csrf_token', function (done) {
request({
url: nconf.get('url') + '/api/config',
json: true,
}, function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 200);
assert(body.csrf_token);
done();
});
});
it('should load /config with no csrf_token as spider', function (done) {
request({
url: nconf.get('url') + '/api/config',
json: true,
headers: {
'user-agent': 'yandex',
},
}, function (err, response, body) {
assert.ifError(err);
assert.equal(response.statusCode, 200);
assert.strictEqual(body.csrf_token, false);
assert.strictEqual(body.uid, -1);
assert.strictEqual(body.loggedIn, false);
done();
});
});
describe('homepage', function () { describe('homepage', function () {
function hookMethod(hookData) { function hookMethod(hookData) {
assert(hookData.req); assert(hookData.req);