Last active
September 25, 2016 00:25
-
-
Save vernak2539/9475654 to your computer and use it in GitHub Desktop.
Conditional CSRF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var conditionalCSRF; // be careful with hoisting | |
| var lusca = require( 'lusca' ); | |
| var csrf = lusca.csrf(); | |
| var csrfFreeRoutes = { | |
| '/server-callback': true | |
| }; | |
| // ....everything else in your server | |
| app.configure( function() { | |
| app.use( express.cookieParser() ); | |
| app.use( express.session({ | |
| store: new express.session.MemoryStore() | |
| , secret: 'SOMEsecretShouldGoHerE' | |
| , key: 'SomeKEY' | |
| } ) ); | |
| // this is where the magic happens. | |
| conditionalCSRF = function( req, res, next ) { | |
| if( Boolean( csrfFreeRoutes[ req.path ] ) ) { | |
| next(); | |
| } else { | |
| csrf( req, res, next ); | |
| } | |
| } | |
| app.use( conditionalCSRF ); | |
| }); | |
| app.post( '/server-callback', function( req, res, next ) { | |
| // do something here | |
| }); | |
| // ....everything else in your server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <script> | |
| window.csrfToken = "{{ csrfToken }}"; // handlebars should replace this with the actual token | |
| </script> | |
| </head> | |
| <body></body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict'; | |
| var express = require( 'express' ); // version ^3.5.0 | |
| var lusca = require( 'lusca' ); // version ^1.0.0 | |
| var app = express(); | |
| // ....everything else in your server | |
| // it doesn't have to be inside the configure portion. that's just where I put it | |
| // in express4 you won't even have this option | |
| app.configure( function() { | |
| app.use( express.cookieParser() ); | |
| app.use( express.session({ | |
| store: new express.session.MemoryStore() | |
| , secret: 'SOMEsecretShouldGoHerE' | |
| , key: 'SomeKEY' | |
| } ) ); | |
| // this is where the magic happens. | |
| // you NEED the cookieParser and Session middleware for this work | |
| app.use( lusca.csrf() ); | |
| }); | |
| // ....everything else in your server | |
| app.get( '/', function( req, res ) { | |
| // I'm assuming you have some sort of rendering engine set up so it renders the index template | |
| // if using handlebars the token would be rendered using {{ csrfToken }}. | |
| // I'm going to assume something like the next line is inserted into the head when it's rendered | |
| // <script>window.csrfToken = "{{ csrfToken }}";</script> | |
| res.render( 'index', { | |
| // this is the CSRF token | |
| // if you're using a version of lusca before 1.0.0 you can use req.csrfToken() also | |
| csrfToken: res.locals._csrf | |
| }); | |
| }) | |
| // start that baby up | |
| app.listen( 3001, function() { | |
| console.log( 'Listening on port %d', 3001 ); | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment