diff --git a/app.js b/app.js index f39b8e6d64..532be844d3 100755 --- a/app.js +++ b/app.js @@ -69,16 +69,18 @@ app.use(express.urlencoded()); app.use(expressValidator()); app.use(express.methodOverride()); app.use(express.session({ - secret: 'your secret code', + secret: secrets.sessionSecret, store: new MongoStore({ db: mongoose.connection.db, auto_reconnect: true }) })); +app.use(express.csrf()); app.use(passport.initialize()); app.use(passport.session()); app.use(function(req, res, next) { res.locals.user = req.user; + res.locals.token = req.csrfToken(); next(); }); app.use(flash()); @@ -90,6 +92,13 @@ app.use(function(req, res) { }); app.use(express.errorHandler()); +/*Helper function for CSRF +app.dynamicHelpers({ + token: function(req, res) { + return req.session._csrf; + } +});*/ + /** * Application routes. */ diff --git a/views/account/login.jade b/views/account/login.jade index db1ebe02bd..48467587a9 100644 --- a/views/account/login.jade +++ b/views/account/login.jade @@ -24,6 +24,8 @@ block content .form-group label.control-label(for='username') Password input.form-control(type='password', name='password', id='password', placeholder='Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group button.btn.btn-primary(type='submit') i.fa.fa-unlock-alt diff --git a/views/account/profile.jade b/views/account/profile.jade index ef2ba7a192..a47a2eb4c3 100644 --- a/views/account/profile.jade +++ b/views/account/profile.jade @@ -30,12 +30,15 @@ block content label.col-xs-2.control-label(for='website') Website .col-xs-4 input.form-control(type='text', name='website', id='website', value='#{user.profile.website}') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-2.col-xs-4 button.btn.btn.btn-primary(type='submit') Update Profile + .page-header h3 Change Password @@ -48,6 +51,8 @@ block content label.col-xs-3.control-label(for='confirmPassword') Confirm Password .col-xs-4 input.form-control(type='password', name='confirmPassword', id='confirmPassword') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-xs-offset-3.col-xs-4 button.btn.btn.btn-primary(type='submit') Change Password @@ -80,4 +85,4 @@ block content if user.github p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account else - p: a(href='/auth/github') Link your GitHub account + p: a(href='/auth/github') Link your GitHub account \ No newline at end of file diff --git a/views/account/signup.jade b/views/account/signup.jade index f88ebc483a..8fdc9f7d72 100644 --- a/views/account/signup.jade +++ b/views/account/signup.jade @@ -15,6 +15,8 @@ block content label.col-sm-3.control-label(for='username') Confirm Password .col-sm-7 input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-3.col-sm-7 button.btn.btn-success(type='submit') diff --git a/views/contact.jade b/views/contact.jade index 9e66769df6..0aad190068 100644 --- a/views/contact.jade +++ b/views/contact.jade @@ -17,6 +17,8 @@ block content label(class='col-sm-2 control-label', for='contactBody') Body .col-sm-8 textarea.form-control(type='text', name='message', id='message', rows='7') + .form-group + input.form-control(type='hidden', name='_csrf', value=token) .form-group .col-sm-offset-2.col-sm-8 button.btn.btn-default(type='submit')