diff --git a/app.js b/app.js index 6390a26109..5996534e22 100755 --- a/app.js +++ b/app.js @@ -74,10 +74,12 @@ app.use(express.session({ auto_reconnect: true }) })); +app.use(express.csrf()); app.use(passport.initialize()); app.use(passport.session()); app.use(function(req, res, next) { res.locals.user = req.user; + res.locals.token = req.csrfToken(); next(); }); app.use(flash()); diff --git a/views/account/login.jade b/views/account/login.jade index db1ebe02bd..48467587a9 100644 --- a/views/account/login.jade +++ b/views/account/login.jade @@ -24,6 +24,8 @@ block content .form-group label.control-label(for='username') Password input.form-control(type='password', name='password', id='password', placeholder='Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group button.btn.btn-primary(type='submit') i.fa.fa-unlock-alt diff --git a/views/account/profile.jade b/views/account/profile.jade index fa56473eda..61bf41901c 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -3,44 +3,44 @@ extends ../layout block content .page-header h3 Profile Information - form.form-horizontal(action='/account/profile', method='POST') - .row - .col-xs-10 - .form-group - label.col-xs-2.control-label(for='email') Email - .col-xs-4 - input.form-control(type='email', name='email', id='email', value='#{user.email}') - .form-group - label.col-xs-2.control-label(for='name') Name - .col-xs-4 - input.form-control(type='text', name='name', id='name', value='#{user.profile.name}') - .form-group - label.col-xs-2.control-label(for='name') Gender - .col-xs-4 - label.radio - input(type='radio', checked=user.profile.gender=='male', name='gender', value='male', data-toggle='radio') - | Male - label.radio - input(type='radio', checked=user.profile.gender=='female', name='gender', value='female', data-toggle='radio') - | Female - .form-group - label.col-xs-2.control-label(for='location') Location - .col-xs-4 - input.form-control(type='text', name='location', id='location', value='#{user.profile.location}') - .form-group - label.col-xs-2.control-label(for='website') Website - .col-xs-4 - input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') - .form-group - label.col-xs-2.control-label(for='gravatar') Gravatar - .col-xs-4 - img(src="#{user.gravatar()}", class='profile', width='100', height='100') - .form-group - .col-xs-offset-2.col-xs-4 - button.btn.btn.btn-primary(type='submit') - i.fa.fa-magnet - | Update Profile + form.form-horizontal(action='/account/profile', method='POST') + .form-group + label.col-xs-2.control-label(for='email') Email + .col-xs-4 + input.form-control(type='email', name='email', id='email', value='#{user.email}') + .form-group + label.col-xs-2.control-label(for='name') Name + .col-xs-4 + input.form-control(type='text', name='name', id='name', value='#{user.profile.name}') + .form-group + label.col-xs-2.control-label(for='name') Gender + .col-xs-4 + label.radio + input(type='radio', checked=user.profile.gender=='male', name='gender', value='male', data-toggle='radio') + | Male + label.radio + input(type='radio', checked=user.profile.gender=='female', name='gender', value='female', data-toggle='radio') + | Female + .form-group + label.col-xs-2.control-label(for='location') Location + .col-xs-4 + input.form-control(type='text', name='location', id='location', value='#{user.profile.location}') + .form-group + label.col-xs-2.control-label(for='website') Website + .col-xs-4 + input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') + .form-group + label.col-xs-2.control-label(for='gravatar') Gravatar + .col-xs-4 + img(src="#{user.gravatar()}", class='profile', width='100', height='100') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) + .form-group + .col-xs-offset-2.col-xs-4 + button.btn.btn.btn-primary(type='submit') + i.fa.fa-magnet + | Update Profile .page-header @@ -55,6 +55,8 @@ block content label.col-xs-3.control-label(for='confirmPassword') Confirm Password .col-xs-4 input.form-control(type='password', name='confirmPassword', id='confirmPassword') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-3.col-xs-4 button.btn.btn.btn-primary(type='submit') diff --git a/views/account/signup.jade b/views/account/signup.jade index f88ebc483a..8fdc9f7d72 100644 --- a/views/account/signup.jade +++ b/views/account/signup.jade @@ -15,6 +15,8 @@ block content label.col-sm-3.control-label(for='username') Confirm Password .col-sm-7 input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-3.col-sm-7 button.btn.btn-success(type='submit') diff --git a/views/contact.jade b/views/contact.jade index 9e66769df6..0aad190068 100644 --- a/views/contact.jade +++ b/views/contact.jade @@ -17,6 +17,8 @@ block content label(class='col-sm-2 control-label', for='contactBody') Body .col-sm-8 textarea.form-control(type='text', name='message', id='message', rows='7') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-2.col-sm-8 button.btn.btn-default(type='submit')