From 3ae67f6fa95f51d8a4ab66aa136865ef8d4d9d2a Mon Sep 17 00:00:00 2001
From: Berkeley Martinez <Berkeley@robotie.com>
Date: Mon, 2 May 2016 17:22:56 -0700
Subject: [PATCH] Add csrf protection

---
 package.json                        | 1 +
 server/middleware.json              | 1 +
 server/middlewares/csurf.js         | 5 +++++
 server/middlewares/global-locals.js | 1 +
 4 files changed, 8 insertions(+)
 create mode 100644 server/middlewares/csurf.js

diff --git a/package.json b/package.json
index 4ac012c6c1..9fae5eb92c 100644
--- a/package.json
+++ b/package.json
@@ -43,6 +43,7 @@
     "compression": "^1.6.0",
     "connect-mongo": "~1.1.0",
     "cookie-parser": "^1.4.0",
+    "csurf": "^1.8.3",
     "debug": "^2.2.0",
     "dedent": "~0.6.0",
     "dotenv": "^2.0.0",
diff --git a/server/middleware.json b/server/middleware.json
index 6968886d90..1ec30ef11b 100644
--- a/server/middleware.json
+++ b/server/middleware.json
@@ -42,6 +42,7 @@
     "helmet#xssFilter": {},
     "helmet#noSniff": {},
     "helmet#frameguard": {},
+    "./middlewares/csurf": {},
     "./middlewares/constant-headers": {},
     "./middlewares/csp": {},
     "./middlewares/express-rx": {},
diff --git a/server/middlewares/csurf.js b/server/middlewares/csurf.js
new file mode 100644
index 0000000000..737a602a0f
--- /dev/null
+++ b/server/middlewares/csurf.js
@@ -0,0 +1,5 @@
+import csurf from 'csurf';
+
+export default function() {
+  return csurf({ cookie: true });
+}
diff --git a/server/middlewares/global-locals.js b/server/middlewares/global-locals.js
index 32a6148562..a018a3e46a 100644
--- a/server/middlewares/global-locals.js
+++ b/server/middlewares/global-locals.js
@@ -2,6 +2,7 @@ export default function globalLocals() {
   return function(req, res, next) {
     // Make user object available in templates.
     res.locals.user = req.user;
+    res.locals._csrf = req.csrfToken();
     next();
   };
 }