Permalink
Browse files

Throw error if `routesDisabled`, `origin` or `grantTokenViaAjax` is s…

…et for CSRF
  • Loading branch information...
1 parent a42f2bc commit 84df8b6fde93d3429173edfe693e8d57795af98f @sgress454 sgress454 committed Jan 12, 2017
Showing with 34 additions and 0 deletions.
  1. +34 −0 lib/hooks/security/index.js
@@ -64,6 +64,40 @@ module.exports = function(sails) {
sails.config.security.csrf = sails.config.csrf;
}
+ if (!_.isUndefined(sails.config.security.csrf.routesDisabled)) {
+ throw new Error(
+ '\n-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n'+
+ 'Invalid global CSRF settings: `routesDisabled` is no longer supported as of Sails v1.0.\n'+
+ 'Instead, set `csrf: false` in `config/routes.js` for any route that you want exempted\n'+
+ 'from CSRF protection.\n'+
+ 'For more info see: http://sailsjs.com/docs/concepts/security/csrf#?enabling-csrf-protection.\n'+
+ '-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n'
+ );
+ }
+
+ if (!_.isUndefined(sails.config.security.csrf.origin)) {
+ throw new Error(
+ '\n-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n'+
+ 'Invalid global CSRF settings: `origin` is no longer supported as of Sails v1.0.\n'+
+ 'Instead, apply CORS settings directly to the CSRF-token-dispensing route in `config/routes.js`.\n'+
+ 'For more info see: \n'+
+ 'http://next.sailsjs.com/docs/concepts/security/csrf#?using-ajax-websockets\n'+
+ 'http://next.sailsjs.com/documentation/concepts/security/cors\n'+
+ '-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n'
+ );
+ }
+
+ if (!_.isUndefined(sails.config.security.csrf.grantTokenViaAjax)) {
+ throw new Error(
+ '\n-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n'+
+ 'Invalid global CSRF settings: `grantTokenViaAjax` is no longer supported as of Sails v1.0.\n'+
+ 'Instead, add a route to your `config/routes.js` file using the `security/grant-csrf-token` action.\n'+
+ 'For more info see: http://next.sailsjs.com/docs/concepts/security/csrf#?using-ajax-websockets\n'+
+ '-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n'
+ );
+ }
+
+
// ██████╗ ██████╗ ███╗ ██╗███████╗██╗ ██████╗ ██╗ ██╗██████╗ ███████╗
// ██╔════╝██╔═══██╗████╗ ██║██╔════╝██║██╔════╝ ██║ ██║██╔══██╗██╔════╝
// ██║ ██║ ██║██╔██╗ ██║█████╗ ██║██║ ███╗██║ ██║██████╔╝█████╗

0 comments on commit 84df8b6

Please sign in to comment.