Skip to content

CSRF/XSS protection #374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 26, 2017
Merged

CSRF/XSS protection #374

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed3b5bf
/api endpoints only allows requests with application/json Content-Type
andrewn Jun 26, 2017
0cae817
Uses CSRF token
andrewn Jun 26, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@
"cookie-parser": "^1.4.1",
"cors": "^2.8.1",
"csslint": "^0.10.0",
"csurf": "^1.9.0",
"decomment": "^0.8.7",
"dotenv": "^2.0.0",
"dropzone": "^4.3.0",
Expand Down
25 changes: 18 additions & 7 deletions server/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import session from 'express-session';
import connectMongo from 'connect-mongo';
import passport from 'passport';
import path from 'path';
import csurf from 'csurf';

// Webpack Requirements
import webpack from 'webpack';
Expand All @@ -23,6 +24,7 @@ import files from './routes/file.routes';
import aws from './routes/aws.routes';
import serverRoutes from './routes/server.routes';
import embedRoutes from './routes/embed.routes';
import { requestsOfTypeJSON } from './utils/requestsOfType';

import { renderIndex } from './views/index';
import { get404Sketch } from './views/404Page';
Expand Down Expand Up @@ -73,18 +75,27 @@ app.use(session({
autoReconnect: true
})
}));

// Enables CSRF protection and stores secret in session
app.use(csurf());
// Middleware to add CSRF token as cookie to some requests
const csrfToken = (req, res, next) => {
res.cookie('XSRF-TOKEN', req.csrfToken());
next();
};

app.use(passport.initialize());
app.use(passport.session());
app.use('/api', users);
app.use('/api', sessions);
app.use('/api', projects);
app.use('/api', files);
app.use('/api', aws);
app.use('/api', requestsOfTypeJSON(), users);
app.use('/api', requestsOfTypeJSON(), sessions);
app.use('/api', requestsOfTypeJSON(), projects);
app.use('/api', requestsOfTypeJSON(), files);
app.use('/api', requestsOfTypeJSON(), aws);
// this is supposed to be TEMPORARY -- until i figure out
// isomorphic rendering
app.use('/', serverRoutes);
app.use('/', csrfToken, serverRoutes);

app.use('/', embedRoutes);
app.use('/', csrfToken, embedRoutes);
app.get('/auth/github', passport.authenticate('github'));
app.get('/auth/github/callback', passport.authenticate('github', { failureRedirect: '/login' }), (req, res) => {
res.redirect('/');
Expand Down
15 changes: 15 additions & 0 deletions server/utils/requestsOfType.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
/*
express middleware that sends a 406 Unacceptable
response if an incoming request's Content-Type
header does not match `type`
*/
const requestsOfType = type => (req, res, next) => {
if (req.get('content-type') != null && !req.is(type)) {
return next({ statusCode: 406 }); // 406 UNACCEPTABLE
}

return next();
};

export default requestsOfType;
export const requestsOfTypeJSON = () => requestsOfType('application/json');