2015-02-22 18:15:22 -06:00
|
|
|
/*
|
|
|
|
|
* Adapted from https://github.com/expressjs/csurf
|
|
|
|
|
*/
|
|
|
|
|
|
2015-10-26 22:56:53 -07:00
|
|
|
import { CSRFError } from '../errors';
|
|
|
|
|
|
2015-02-22 18:15:22 -06:00
|
|
|
var csrf = require("csrf");
|
|
|
|
|
|
|
|
|
|
var tokens = csrf();
|
|
|
|
|
|
2015-02-24 10:48:51 -06:00
|
|
|
exports.init = function csrfInit (domain) {
|
|
|
|
|
return function (req, res, next) {
|
|
|
|
|
var secret = req.signedCookies._csrf;
|
|
|
|
|
if (!secret) {
|
|
|
|
|
secret = tokens.secretSync();
|
|
|
|
|
res.cookie("_csrf", secret, {
|
|
|
|
|
domain: domain,
|
|
|
|
|
signed: true,
|
|
|
|
|
httpOnly: true
|
|
|
|
|
});
|
|
|
|
|
}
|
2015-02-22 18:15:22 -06:00
|
|
|
|
2015-02-24 10:48:51 -06:00
|
|
|
var token;
|
2015-02-22 18:15:22 -06:00
|
|
|
|
2015-02-24 10:48:51 -06:00
|
|
|
req.csrfToken = function csrfToken() {
|
|
|
|
|
if (token) {
|
|
|
|
|
return token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token = tokens.create(secret);
|
2015-02-22 18:15:22 -06:00
|
|
|
return token;
|
2015-02-24 10:48:51 -06:00
|
|
|
};
|
2015-02-22 18:15:22 -06:00
|
|
|
|
2015-02-24 10:48:51 -06:00
|
|
|
next();
|
2015-02-22 18:15:22 -06:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
exports.verify = function csrfVerify(req) {
|
|
|
|
|
var secret = req.signedCookies._csrf;
|
|
|
|
|
var token = req.body._csrf || req.query._csrf;
|
|
|
|
|
|
|
|
|
|
if (!tokens.verify(secret, token)) {
|
2015-10-26 22:56:53 -07:00
|
|
|
throw new CSRFError('Invalid CSRF token');
|
2015-02-22 18:15:22 -06:00
|
|
|
}
|
|
|
|
|
};
|
