Skip to content

Commit

Permalink
enhancement: CSRF validation doesn't occur on /abe/rest routes and oA…
Browse files Browse the repository at this point in the history 
…uth token can now be extracted from body, uery, cookie or headers x-access-token or authorization
  • Loading branch information
@gregorybesson
gregorybesson committed Apr 25, 2017
1 parent b90938e commit 633033d
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 6 deletions.
13 changes: 12 additions & 1 deletion src/cli/users/utils.js
View file
Expand Up @@ -174,7 +174,12 @@ export function isValid(user, password) {

export function decodeUser(req, res) {
var decoded = {}
var token = User.utils.getTokenFromCookies(req, res)
var token = req.body.token ||
req.query.token ||
req.headers['x-access-token'] ||
User.utils.getTokenFromCookies(req, res) ||
User.utils.getTokenFromAuthHeader(req, res)

if(typeof token !== 'undefined' && token !== null && token !== '') {
try {
var secret = config.users.secret
Expand All @@ -185,6 +190,12 @@ export function decodeUser(req, res) {
return decoded
}

export function getTokenFromAuthHeader(req, res){
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
return req.headers.authorization.split(' ')[1];
}
}

export function getTokenFromCookies(req, res) {
var cookies = new Cookies(req, res, {
secure: config.cookie.secure
Expand Down
9 changes: 5 additions & 4 deletions src/server/middlewares/checkCsrf.js
View file
@@ -1,12 +1,13 @@
var middleware = function(err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') {
return next(err)
}else {
} else {
if( req.url.indexOf('/abe/users/forgot') > -1 ||
req.url.indexOf('/abe/users/login') > -1 ||
req.url.indexOf('/abe/rest/authenticate') > -1 ||
req.url.indexOf('/abe/rest/') > -1 ||
!/^\/abe/.test(req.url) ||
!/^\/abe/.test(req.url)
!/^\/abe/.test(req.url) ||
typeof req.header('Referer') === 'undefined' // to be removed once all routes are under /abe/rest
) {
return next()
}
Expand All @@ -15,7 +16,7 @@ var middleware = function(err, req, res, next) {
var isHtml = /text\/html/.test(req.get('accept')) ? true : false
if(isHtml) {
res.redirect('/abe/users/login')
}else {
} else {
var notAuthorized = {
success: 0,
message: 'form tampered with !'
Expand Down
2 changes: 1 addition & 1 deletion src/server/routes/rest/authenticate.js
View file
Expand Up @@ -80,7 +80,7 @@ var route = function(req, res, next) {
})
cookies.set( 'x-access-token', token )

var result = {}
var result = {id_token:token}
res.set('Content-Type', 'application/json')
res.send(JSON.stringify(result))
})(req, res, next)
Expand Down

0 comments on commit 633033d

Please sign in to comment.