CSRF should be a middleware

[julianlam]

This has the possibility of breaking a number of plugins, but given that I don't know a single example of a plugin that adds POST routes that isn't written by me, I think we can just squeeze this into 0.5.1 as well.

Anyway -- we require CSRF for all POST/PUT/DELETE requests, which precludes the possibility of building a write-enabled API that utilises other methods of authentication (e.g. API key or oauth2 access token over HTTPS).

Also, the CSRF system is due for a rewrite anyway.

Notes

• CSRF will be an optional middleware instead of included by default on all requests

[julianlam]

NodeBB/nodebb-theme-vanilla@da2b110

[psychobunny]

but given that I don't know a single example of a plugin that adds POST routes that isn't written by me

dbsearch + RSS plugin by @barisusakli and my blog comments plugin, just off the top of my head

[julianlam]

Eh, either me or one of us, anyway.

[akhoury]

@xCRNSx, this concerns https://github.com/xCRNSx/nodebb-widget-gameservers.
I couldn't create an issue in the fork. You should create your own repo instead of a fork

[julianlam]

I believe you can re-enable issues in forks... though I'm not entirely sure on that.

[julianlam]

closed via a061079

[julianlam]

The behaviour of the csrf token has changed!

Instead of being omni-present on the header, they are added to certain templates that require it.

For example, we want to secure the uploading of favicons in the admin panel, which is a POST upload request:
* We add the middleware.applyCSRF middleware to the uploadfavicon route
* We then generate a csrf token in the controller and pass it through to the template
* We add it to the template (or if you're using a form, you can put it into the form as a hidden input as well)

[akhoury]

it's too complicated for me if it's more than one LOC
I'll stalk around for an example. (db-search, rss or blog)