Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //since the csrf does not block GET requests let's ban them manually
- function createToken(salt, secret) {
- return salt + crypto
- .createHash('sha1')
- .update(salt + secret)
- .digest('base64');
- }
- function checkToken(token, secret) {
- if ('string' !== typeof token) return false;
- return token === createToken(token.slice(0, 10), secret);
- }
- app.use(function (req, res, next) {
- var isAllowed = true;
- //console.log('req.csrfNeeded: ', req.csrfNeeded);
- if (req.csrfNeeded) {
- res.cookie('XSRF-TOKEN', req.csrfToken());
- res.locals.token = req.csrfToken();
- if ((req.method === 'POST' || req.method === 'GET') &&
- req.url.indexOf('/api/v2/') !== -1) {
- var secret = req.session._csrfSecret;
- var val = req.headers['x-xsrf-token'];
- isAllowed = checkToken(val, secret);
- }
- }
- //console.log('csrfNeeded check: ', req.method, req.url, isAllowed);
- if (!isAllowed) {
- res.status(403);
- res.render('403.jade', {error: '403: Forbidden'});
- } else {
- next();
- }
- });
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement