|
| 1 | +var express = require('express'); |
| 2 | +var cookieParser = require('cookie-parser'); |
| 3 | +var passport = require('passport'); |
| 4 | + |
| 5 | +(function () { |
| 6 | + |
| 7 | + var app = express() |
| 8 | + |
| 9 | + app.use(cookieParser()) |
| 10 | + app.use(passport.authorize({ session: true })) |
| 11 | + |
| 12 | + function getCsrfToken(request) { |
| 13 | + return request.headers['x-xsrf-token']; |
| 14 | + } |
| 15 | + |
| 16 | + function setCsrfToken(request, response, next) { |
| 17 | + response.cookie('XSRF-TOKEN', request.csrfToken()); |
| 18 | + next(); |
| 19 | + } |
| 20 | + |
| 21 | + const csrf = { |
| 22 | + getCsrfToken: getCsrfToken, |
| 23 | + setCsrfToken: setCsrfToken |
| 24 | + }; |
| 25 | + |
| 26 | + app.use(express.csrf({ value: csrf.getCsrfToken })); |
| 27 | + app.use(csrf.setCsrfToken); |
| 28 | + |
| 29 | + app.post('/changeEmail', function (req, res) { |
| 30 | + let newEmail = req.cookies["newEmail"]; |
| 31 | + }) |
| 32 | +}); |
| 33 | + |
| 34 | + |
| 35 | + |
| 36 | +(function () { |
| 37 | + var app = express() |
| 38 | + |
| 39 | + app.use(cookieParser()) |
| 40 | + app.use(passport.authorize({ session: true })) |
| 41 | + |
| 42 | + var crypto = require('crypto'); |
| 43 | + |
| 44 | + var generateToken = function (len) { |
| 45 | + return crypto.randomBytes(Math.ceil(len * 3 / 4)) |
| 46 | + .toString('base64') |
| 47 | + .slice(0, len); |
| 48 | + }; |
| 49 | + function defaultValue(req) { |
| 50 | + return (req.body && req.body._csrf) |
| 51 | + || (req.query && req.query._csrf) |
| 52 | + || (req.headers['x-csrf-token']); |
| 53 | + } |
| 54 | + var checkToken = function (req, res, next) { |
| 55 | + var token = req.session._csrf || (req.session._csrf = generateToken(24)); |
| 56 | + if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next(); |
| 57 | + var val = defaultValue(req); |
| 58 | + if (val != token) return next(function () { |
| 59 | + res.send({ auth: false }); |
| 60 | + }); |
| 61 | + next(); |
| 62 | + } |
| 63 | + const csrf = { |
| 64 | + check: checkToken |
| 65 | + }; |
| 66 | + |
| 67 | + app.use(express.cookieParser()); |
| 68 | + app.use(express.session({ secret: 'thomasdavislovessalmon' })); |
| 69 | + app.use(express.bodyParser()); |
| 70 | + app.use(csrf.check); |
| 71 | + |
| 72 | + app.post('/changeEmail', function (req, res) { |
| 73 | + let newEmail = req.cookies["newEmail"]; |
| 74 | + }) |
| 75 | +}); |
0 commit comments