diff --git a/app/controllers/account.js b/app/controllers/account.js index 7d653641d..91f110061 100644 --- a/app/controllers/account.js +++ b/app/controllers/account.js @@ -5,12 +5,15 @@ 'use strict'; var _ = require('lodash'), + Tokens = require('csrf'), fs = require('fs'), psjon = require('./../../package.json'), auth = require('./../auth/index'), path = require('path'), settings = require('./../config'); +var tokens = new Tokens(); + module.exports = function() { var app = this.app, @@ -25,6 +28,7 @@ module.exports = function() { // Routes // app.get('/', middlewares.requireLogin.redirect, function(req, res) { + res.locals.csrfToken = tokens.create(req.session._csrf); res.render('chat.html', { account: req.user, settings: settings, @@ -316,6 +320,7 @@ module.exports = function() { }); } req.session.passport = temp; + req.session._csrf = tokens.secretSync() res.json({ status: 'success', message: 'Logging you in...' diff --git a/app/middlewares/requireLogin.js b/app/middlewares/requireLogin.js index 5d7785e96..1bd60cd23 100644 --- a/app/middlewares/requireLogin.js +++ b/app/middlewares/requireLogin.js @@ -5,9 +5,21 @@ 'use strict'; var passport = require('passport'); +var Tokens = require('csrf'); +var tokens = new Tokens(); function getMiddleware(fail) { return function(req, res, next) { + + if(req.method=='POST'){ + var fields = req.body || req.data; + var csrfToken = fields._csrf || fields['_csrf'] || req.headers['xcsrf-token']; + if(!tokens.verify(req.session._csrf, csrfToken)){ + res.sendStatus(401); + return; + } + } + if (req.user) { next(); return; diff --git a/media/js/views/modals.js b/media/js/views/modals.js index 6ac2c12c7..aa71a55e0 100644 --- a/media/js/views/modals.js +++ b/media/js/views/modals.js @@ -129,7 +129,8 @@ }, getToken: function() { var that = this; - $.post('./account/token/generate', function(data) { + var token = document.querySelector('meta[name="csrf-token"]').getAttribute('content'); + $.post('./account/token/generate', {_csrf: token}, function(data) { if (data.token) { that.$('.token').val(data.token); that.$('.generated-token').show(); @@ -138,7 +139,8 @@ }, removeToken: function() { var that = this; - $.post('./account/token/revoke', function(data) { + var token = document.querySelector('meta[name="csrf-token"]').getAttribute('content'); + $.post('./account/token/revoke', {_csrf: token}, function(data) { that.refresh(); swal('Success', 'Authentication token revoked!', 'success'); }); diff --git a/media/js/views/upload.js b/media/js/views/upload.js index 2b9a54c15..521faf694 100644 --- a/media/js/views/upload.js +++ b/media/js/views/upload.js @@ -38,7 +38,8 @@ Dropzone && (Dropzone.autoDiscover = false); dictRemoveFile: 'Remove', parallelUploads: 8, maxFiles: 8, - previewTemplate: this.template + previewTemplate: this.template, + headers: {'xcsrf-token': document.querySelector('meta[name="csrf-token"]').getAttribute('content')} }); this.dropzone .on('sending', _.bind(this.sending, this)) diff --git a/package.json b/package.json index 475381a00..50f519859 100644 --- a/package.json +++ b/package.json @@ -69,6 +69,7 @@ "connect-assets": "^5.3.0", "connect-mongo": "^1.2.1", "cookie-parser": "^1.4.3", + "csrf": "^3.1.0", "express.oi": "0.0.21", "helmet": "^2.1.1", "i18n": "^0.8.3", diff --git a/templates/chat.html b/templates/chat.html index 4ace7ca04..e71f06544 100644 --- a/templates/chat.html +++ b/templates/chat.html @@ -18,6 +18,7 @@ <% endblock %> <% block body %> +
diff --git a/templates/includes/modals/profile.html b/templates/includes/modals/profile.html index 1e2239a67..100011047 100644 --- a/templates/includes/modals/profile.html +++ b/templates/includes/modals/profile.html @@ -2,6 +2,7 @@
+

<$ __('Profile Settings') $>