fix(app): add csrf middleware

Add csurf middleware to mitigate vulnerability

fix  #140

package.json

@@ -28,6 +28,7 @@
     "body-parser": "^1.18.3",
     "config": "^3.3.1",
     "cookie-parser": "^1.4.4",
+    "csurf": "^1.11.0",
     "dateformat": "^3.0.3",
     "express": "^4.16.4",
     "express-list-endpoints": "^5.0.0",
@@ -108,4 +109,4 @@
       "path": "./node_modules/cz-conventional-changelog"
     }
   }
-}
+}

server/app-factory.js

@@ -55,7 +55,4 @@ class AppFactory {
   }
 }
 
-module.exports = {
-  AppFactory: AppFactory,
-  app: app
-}
+module.exports = AppFactory

server/app.js

@@ -10,8 +10,8 @@ var httpServer
 var httpPort = -1
 process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
 
-const appFactory = new AppFactory()
-const app = appFactory.createApp()
+const appFactoryInstance = new AppFactory()
+const app = appFactoryInstance.createApp()
 
 /**
  * Creates express server for the first time and recreates if port changed

test/app-factory.test.js

@@ -0,0 +1,56 @@
+const chai = require('chai')
+const assert = chai.assert
+const rewire = require('rewire')
+const appFactoryRewire = rewire('../server/app-factory.js')
+const sinon = require('sinon')
+
+/**
+ * Helper: Returns the argument call number with matching args
+ * If none found, returns undefined
+ * @param {*} spyFn sinon.Spy function
+ * @param {*} argFn callback / function param
+ */
+function getCallWithArgs (spyFn, argFn) {
+  const calls = spyFn.getCalls()
+  const argFnString = argFn.toString()
+  let foundCall
+  for (const call in calls) {
+    const arg = spyFn.getCall(call).args[0]
+    if (arg.toString() === argFnString) {
+      foundCall = spyFn.getCall(call)
+    }
+  }
+  return foundCall
+}
+
+describe('csurf middleware', () => {
+  const rewiredCsurf = appFactoryRewire.__get__('csurf')
+
+  it('should exist', () => {
+    assert.exists(rewiredCsurf)
+  })
+
+  it('should be a function', () => {
+    assert.isFunction(rewiredCsurf)
+  })
+
+  it('should be equal csurf module', () => {
+    assert.strictEqual(rewiredCsurf, require('csurf'))
+  })
+
+  it('should be called once as app.use arg', () => {
+    const csurf = require('csurf')
+    const app = appFactoryRewire.__get__('app')
+    const AppFactory = appFactoryRewire.__get__('AppFactory')
+    const appUseSpy = sinon.spy(app, 'use')
+    const appInstance = new AppFactory()
+
+    appInstance.createApp()
+
+    const call = getCallWithArgs(appUseSpy, csurf({ cookie: true }))
+    const arg = call.args[0]
+    assert(arg.toString === csurf({ cookie: true }).toString)
+
+    sinon.restore()
+  })
+})