From 71f05d285296da573e6877798df616903c37b267 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 11:33:55 -0500 Subject: [PATCH 1/7] Add CSRF Security measures on login forms just added the csrf middleware --- app.js | 1 + 1 file changed, 1 insertion(+) diff --git a/app.js b/app.js index dbd924acdf..f39b8e6d64 100755 --- a/app.js +++ b/app.js @@ -60,6 +60,7 @@ app.use(require('connect-assets')({ helperContext: app.locals })); app.use(express.compress()); +app.use(express.csrf()); app.use(express.favicon()); app.use(express.logger('dev')); app.use(express.cookieParser()); From f9ec861151f477b861d783b058bc0a1dea9e30b9 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:02:24 -0500 Subject: [PATCH 2/7] Added CSRF Protection to all form views --- app.js | 9 +++++++++ views/account/login.jade | 2 ++ views/account/profile.jade | 5 +++++ views/account/signup.jade | 2 ++ views/contact.jade | 2 ++ 5 files changed, 20 insertions(+) diff --git a/app.js b/app.js index 6390a26109..41c9d9e4ae 100755 --- a/app.js +++ b/app.js @@ -74,10 +74,12 @@ app.use(express.session({ auto_reconnect: true }) })); +app.use(express.csrf()); app.use(passport.initialize()); app.use(passport.session()); app.use(function(req, res, next) { res.locals.user = req.user; + res.locals.token = req.csrfToken(); next(); }); app.use(flash()); @@ -89,6 +91,13 @@ app.use(function(req, res) { }); app.use(express.errorHandler()); +/*Helper function for CSRF +app.dynamicHelpers({ + token: function(req, res) { + return req.session._csrf; + } +});*/ + /** * Application routes. */ diff --git a/views/account/login.jade b/views/account/login.jade index db1ebe02bd..23ea7cd3db 100644 --- a/views/account/login.jade +++ b/views/account/login.jade @@ -24,6 +24,8 @@ block content .form-group label.control-label(for='username') Password input.form-control(type='password', name='password', id='password', placeholder='Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group button.btn.btn-primary(type='submit') i.fa.fa-unlock-alt diff --git a/views/account/profile.jade b/views/account/profile.jade index ef2ba7a192..e8504962b8 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -30,12 +30,15 @@ block content label.col-xs-2.control-label(for='website') Website .col-xs-4 input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-2.col-xs-4 button.btn.btn.btn-primary(type='submit') Update Profile + .page-header h3 Change Password @@ -48,6 +51,8 @@ block content label.col-xs-3.control-label(for='confirmPassword') Confirm Password .col-xs-4 input.form-control(type='password', name='confirmPassword', id='confirmPassword') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-3.col-xs-4 button.btn.btn.btn-primary(type='submit') Change Password diff --git a/views/account/signup.jade b/views/account/signup.jade index f88ebc483a..0d6e8aa7dd 100644 --- a/views/account/signup.jade +++ b/views/account/signup.jade @@ -15,6 +15,8 @@ block content label.col-sm-3.control-label(for='username') Confirm Password .col-sm-7 input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-3.col-sm-7 button.btn.btn-success(type='submit') diff --git a/views/contact.jade b/views/contact.jade index 9e66769df6..c846ead911 100644 --- a/views/contact.jade +++ b/views/contact.jade @@ -17,6 +17,8 @@ block content label(class='col-sm-2 control-label', for='contactBody') Body .col-sm-8 textarea.form-control(type='text', name='message', id='message', rows='7') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-2.col-sm-8 button.btn.btn-default(type='submit') From c99c8fe1f8487590b3d1b54d734d982546cdb239 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:08:34 -0500 Subject: [PATCH 3/7] Changed Views to accept CSRF token --- app.js | 2 +- views/account/login.jade | 2 +- views/account/profile.jade | 6 +++--- views/account/signup.jade | 2 +- views/contact.jade | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app.js b/app.js index 41c9d9e4ae..4d2e73c67b 100755 --- a/app.js +++ b/app.js @@ -79,7 +79,7 @@ app.use(passport.initialize()); app.use(passport.session()); app.use(function(req, res, next) { res.locals.user = req.user; - res.locals.token = req.csrfToken(); + res.locals.token = req.csrfToken(); next(); }); app.use(flash()); diff --git a/views/account/login.jade b/views/account/login.jade index 23ea7cd3db..48467587a9 100644 --- a/views/account/login.jade +++ b/views/account/login.jade @@ -25,7 +25,7 @@ block content label.control-label(for='username') Password input.form-control(type='password', name='password', id='password', placeholder='Password') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group button.btn.btn-primary(type='submit') i.fa.fa-unlock-alt diff --git a/views/account/profile.jade b/views/account/profile.jade index e8504962b8..a47a2eb4c3 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -31,7 +31,7 @@ block content .col-xs-4 input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-2.col-xs-4 button.btn.btn.btn-primary(type='submit') Update Profile @@ -52,7 +52,7 @@ block content .col-xs-4 input.form-control(type='password', name='confirmPassword', id='confirmPassword') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-3.col-xs-4 button.btn.btn.btn-primary(type='submit') Change Password @@ -85,4 +85,4 @@ block content if user.github p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account else - p: a(href='/auth/github') Link your GitHub account + p: a(href='/auth/github') Link your GitHub account \ No newline at end of file diff --git a/views/account/signup.jade b/views/account/signup.jade index 0d6e8aa7dd..8fdc9f7d72 100644 --- a/views/account/signup.jade +++ b/views/account/signup.jade @@ -16,7 +16,7 @@ block content .col-sm-7 input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-3.col-sm-7 button.btn.btn-success(type='submit') diff --git a/views/contact.jade b/views/contact.jade index c846ead911..0aad190068 100644 --- a/views/contact.jade +++ b/views/contact.jade @@ -18,7 +18,7 @@ block content .col-sm-8 textarea.form-control(type='text', name='message', id='message', rows='7') .form-group - input.form-control(type='hidden', name='_csrf', value=token) + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-2.col-sm-8 button.btn.btn-default(type='submit') From 8f0e61c26ba52024a3b5006f254ecfd23e189217 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:27:06 -0500 Subject: [PATCH 4/7] Removed dynamicHelpers comment --- app.js | 7 ------- 1 file changed, 7 deletions(-) diff --git a/app.js b/app.js index 532be844d3..2075c61174 100755 --- a/app.js +++ b/app.js @@ -92,13 +92,6 @@ app.use(function(req, res) { }); app.use(express.errorHandler()); -/*Helper function for CSRF -app.dynamicHelpers({ - token: function(req, res) { - return req.session._csrf; - } -});*/ - /** * Application routes. */ From ba1916c7d3e07fa15390234e8b4d798adecaea94 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:31:04 -0500 Subject: [PATCH 5/7] Removed extra app.use(express.csrf()); --- app.js | 1 - 1 file changed, 1 deletion(-) diff --git a/app.js b/app.js index 2075c61174..5996534e22 100755 --- a/app.js +++ b/app.js @@ -60,7 +60,6 @@ app.use(require('connect-assets')({ helperContext: app.locals })); app.use(express.compress()); -app.use(express.csrf()); app.use(express.favicon()); app.use(express.logger('dev')); app.use(express.cookieParser()); From 1b6aa2e6035a63ce08155e8ce3324ebe0e03a3d9 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:31:53 -0500 Subject: [PATCH 6/7] Readded newline --- views/account/profile.jade | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/views/account/profile.jade b/views/account/profile.jade index a47a2eb4c3..2fd987d92a 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -85,4 +85,5 @@ block content if user.github p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account else - p: a(href='/auth/github') Link your GitHub account \ No newline at end of file + p: a(href='/auth/github') Link your GitHub account + From c5199929a596d11eafab1cb327e5a223e49d7609 Mon Sep 17 00:00:00 2001 From: Brian Ridings Date: Mon, 3 Feb 2014 13:32:13 -0500 Subject: [PATCH 7/7] Update profile.jade --- views/account/profile.jade | 1 - 1 file changed, 1 deletion(-) diff --git a/views/account/profile.jade b/views/account/profile.jade index 2fd987d92a..3d56e33f65 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -86,4 +86,3 @@ block content p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account else p: a(href='/auth/github') Link your GitHub account -