gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Swapped connect-csrf for lusca and added conditional csrf

Browse Source
This commit is contained in:
Sahat Yalkabov
2014-04-18 14:29:30 -04:00
parent 1f63e5c424
commit d5f5bd185d
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app.js
View File

@ -2,6 +2,7 @@
* Module dependencies. * Module dependencies.
*/ */
var _ = require('underscore');
var express = require('express'); var express = require('express');
var cookieParser = require('cookie-parser'); var cookieParser = require('cookie-parser');
var compress = require('compression'); var compress = require('compression');
@ -10,7 +11,7 @@ var bodyParser = require('body-parser');
var favicon = require('static-favicon'); var favicon = require('static-favicon');
var logger = require('morgan'); var logger = require('morgan');
var errorHandler = require('errorhandler'); var errorHandler = require('errorhandler');
var csrf = require('csurf'); var csrf = require('lusca').csrf();
var methodOverride = require('method-override'); var methodOverride = require('method-override');
var MongoStore = require('connect-mongo')({ session: session }); var MongoStore = require('connect-mongo')({ session: session });
@ -60,6 +61,10 @@ var hour = 3600000;
var day = hour * 24; var day = hour * 24;
var week = day * 7; var week = day * 7;
var csrfWhitelist = [
'/signup'
];
app.set('port', process.env.PORT || 3000); app.set('port', process.env.PORT || 3000);
app.set('views', path.join(__dirname, 'views')); app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade'); app.set('view engine', 'jade');
@ -82,19 +87,23 @@ app.use(session({
auto_reconnect: true auto_reconnect: true
}) })
})); }));
app.use(csrf());
app.use(passport.initialize()); app.use(passport.initialize());
app.use(passport.session()); app.use(passport.session());
app.use(function(req, res, next) {
// Conditional CSRF.
if (_.contains(csrfWhitelist, req.path)) next();
else csrf(req, res, next);
});
app.use(function(req, res, next) { app.use(function(req, res, next) {
res.locals.user = req.user; res.locals.user = req.user;
res.locals._csrf = req.csrfToken();
res.locals.secrets = secrets; res.locals.secrets = secrets;
next(); next();
}); });
app.use(flash()); app.use(flash());
app.use(express.static(path.join(__dirname, 'public'), { maxAge: week })); app.use(express.static(path.join(__dirname, 'public'), { maxAge: week }));
app.use(function(req, res, next) { app.use(function(req, res, next) {
// Keep track of previous URL // Keep track of previous URL to redirect back to
// original destination after a successful login.
if (req.method !== 'GET') return next(); if (req.method !== 'GET') return next();
var path = req.path.split('/')[1]; var path = req.path.split('/')[1];
if (/(auth|login|logout|signup)$/i.test(path)) return next(); if (/(auth|login|logout|signup)$/i.test(path)) return next();

3
package.json
View File

@ -53,7 +53,8 @@
"twit": "^1.1.13", "twit": "^1.1.13",
"underscore": "^1.6.0", "underscore": "^1.6.0",
"uglify-js": "^2.4.12", "uglify-js": "^2.4.12",
"validator": "^3.9.0" "validator": "^3.9.0",
"lusca": "^1.0.0"
}, },
"devDependencies": { "devDependencies": {
"mocha": "^1.18.2", "mocha": "^1.18.2",