added csrf protection

jedireza · jedireza · commit dc23e7aedc76 · 2014-08-14T23:49:37.000-07:00
diff --git a/Gruntfile.js b/Gruntfile.js
@@ -26,6 +26,10 @@ module.exports = function(grunt) {
             expand: true, cwd: 'bower_components/jquery/dist/',
             src: ['jquery.js'], dest: 'public/vendor/jquery/'
           },
+          {
+            expand: true, cwd: 'bower_components/jquery.cookie/',
+            src: ['jquery.cookie.js'], dest: 'public/vendor/jquery.cookie/'
+          },
           {
             expand: true, cwd: 'bower_components/momentjs/',
             src: ['moment.js'], dest: 'public/vendor/momentjs/'
@@ -93,6 +97,7 @@ module.exports = function(grunt) {
         files: {
           'public/layouts/core.min.js': [
             'public/vendor/jquery/jquery.js',
+            'public/vendor/jquery.cookie/jquery.cookie.js',
             'public/vendor/underscore/underscore.js',
             'public/vendor/backbone/backbone.js',
             'public/vendor/bootstrap/js/affix.js',
diff --git a/app.js b/app.js
@@ -3,13 +3,15 @@
 //dependencies
 var config = require('./config'),
     express = require('express'),
+    cookieParser = require('cookie-parser'),
     session = require('express-session'),
     mongoStore = require('connect-mongo')(session),
     http = require('http'),
     path = require('path'),
     passport = require('passport'),
     mongoose = require('mongoose'),
-    helmet = require('helmet');
+    helmet = require('helmet'),
+    csrf = require('csurf');
 
 //create express app
 var app = express();
@@ -42,17 +44,19 @@ app.use(require('compression')());
 app.use(require('serve-static')(path.join(__dirname, 'public')));
 app.use(require('body-parser')());
 app.use(require('method-override')());
-app.use(require('cookie-parser')());
+app.use(cookieParser(config.cryptoKey));
 app.use(session({
   secret: config.cryptoKey,
   store: new mongoStore({ url: config.mongodb.uri })
 }));
 app.use(passport.initialize());
 app.use(passport.session());
+app.use(csrf({ cookie: { signed: true } }));
 helmet.defaults(app);
 
 //response locals
 app.use(function(req, res, next) {
+  res.cookie('_csrfToken', req.csrfToken());
   res.locals.user = {};
   res.locals.user.defaultReturnUrl = req.user && req.user.defaultReturnUrl();
   res.locals.user.username = req.user && req.user.username;
diff --git a/bower.json b/bower.json
@@ -6,6 +6,7 @@
     "font-awesome": "~4.0.3",
     "html5shiv": "~3.7.0",
     "jquery": "~1.11.0",
+    "jquery.cookie": "~1.4.1",
     "momentjs": "~2.5.0",
     "respond": "~1.4.2",
     "underscore": "~1.5.2"
diff --git a/package.json b/package.json
@@ -28,7 +28,8 @@
     "passport-google-oauth": "^0.1.5",
     "passport-tumblr": "^0.1.2",
     "helmet": "^0.2.1",
-    "bcrypt": "^0.7.8"
+    "bcrypt": "^0.7.8",
+    "csurf": "^1.4.0"
   },
   "devDependencies": {
     "grunt": "^0.4.4",
diff --git a/public/layouts/core.js b/public/layouts/core.js
@@ -13,6 +13,11 @@ var app; //the main declaration
     //register global ajax handlers
     $(document).ajaxStart(function(){ $('.ajax-spinner').show(); });
     $(document).ajaxStop(function(){  $('.ajax-spinner').hide(); });
+    $.ajaxSetup({
+      beforeSend: function (xhr) {
+        xhr.setRequestHeader('x-csrf-token', $.cookie('_csrfToken'));
+      }
+    });
 
     //ajax spinner follows mouse
     $(document).bind('mousemove', function(e) {
