feat(csrf): csrf can now be disabled

Florian Weber · Florian Weber · commit a805cc5ea6cb · 2019-04-12T16:26:06.000+02:00
By setting the new configuration parameter 'csrf' to true or false, you are able to disable or enable it.
diff --git a/packages/config/configs/server.js b/packages/config/configs/server.js
@@ -1,4 +1,5 @@
 export default () => ({
   csrfExclude: [],
+  csrf: true,
   createRenderer: {}
 });
diff --git a/packages/core/server.js b/packages/core/server.js
@@ -18,7 +18,6 @@ import WWW                      from './www';
 export default class Server extends WWW {
   constructor(hooks, config) {
     super(hooks, config);
-    this.csrfProtection = csrf({ cookie: true });
     this.renderer = null;
     this.readyPromise = null;
     this.isProd = process.env.NODE_ENV === 'production';
@@ -111,10 +110,13 @@ export default class Server extends WWW {
 
     this.middlewares.push(bodyParser.json());
     this.middlewares.push(bodyParser.urlencoded({ extended: false }));
-    this.middlewares.push((req, res, next) => {
-      if (indexOf(this.config.csrfExclude, req.path) !== -1) return next();
-      csrf({ cookie: true })(req, res, next);
-    });
+
+    if (this.config.csrf) {
+      this.middlewares.push((req, res, next) => {
+        if (indexOf(this.config.csrfExclude, req.path) !== -1) return next();
+        csrf({ cookie: true })(req, res, next);
+      });
+    }
         
     for (const middleware of this.hooks.middlewares) {
       middleware({
@@ -210,7 +212,7 @@ export default class Server extends WWW {
       }
     });
 
-    this.app.get('*', this.csrfProtection, this.isProd ? this.render.bind(this) : (req, res) => {
+    this.app.get('*', this.isProd ? this.render.bind(this) : (req, res) => {
       self.readyPromise.then(() => self.render(req, res));
     });
   }
@@ -221,10 +223,11 @@ export default class Server extends WWW {
     const context = {
       title: process.env.APP_NAME,
       url: req.url,
-      csrfToken: req.csrfToken(),
       cookies: req.cookies
     };
 
+    if (this.config.csrf) Object.assign(context, { csrfToken: req.csrfToken() });
+
     if (typeof req.flash === 'function') Object.assign(context, { flash: req.flash() });
     if (typeof req.isAuthenticated === 'function') Object.assign(context, { isAuthenticated: req.isAuthenticated(), user: req.user });
         
diff --git a/packages/renderer/src/builder.js b/packages/renderer/src/builder.js
@@ -36,7 +36,8 @@ export default class Builder {
         const compiledApp = compiled({
           config: {
             progressbar: this.globalConfig.progressbar,
-            i18n: this.globalConfig.i18n
+            i18n: this.globalConfig.i18n,
+            csrf: this.globalConfig.csrf
           }
         });
 
diff --git a/packages/vue-app/lib/entry-client.js b/packages/vue-app/lib/entry-client.js
@@ -1,14 +1,14 @@
-import { createApp }        from './app';
-import Vue                  from 'vue';
-import axios                from 'axios';
-import forEach              from 'lodash/forEach';
+import { createApp } from './app';
+import Vue from 'vue';
+import axios from 'axios';
+import forEach from 'lodash/forEach';
 const { app, router, store } = createApp({ isServer: false });
 
 // eslint-disable-next-line no-unused-vars
 class ClientEntry {
   constructor() {
     this.addMobileCheck();
-    this.configureCSRF();
+    <% if (config.csrf) { %> this.configureCSRF(); <% } %>
     this.setRouterMixins();
     this.initMixin();
 
@@ -60,6 +60,7 @@ class ClientEntry {
     };
   }
 
+  <% if (config.csrf) { %>
   configureCSRF() {
     let token = document.querySelector('meta[name="csrf-token"]');
 
@@ -70,6 +71,7 @@ class ClientEntry {
       console.error('CSRF token not found');
     }
   }
+  <% } %>
 
   setRouterMixins() {
     Vue.mixin({
diff --git a/packages/vue-app/lib/entry-server.js b/packages/vue-app/lib/entry-server.js
@@ -4,7 +4,7 @@ import { createApp } from './app';
 
 Vue.prototype.$auth = null;
 Vue.prototype.$modernizr = {};
-Vue.prototype.$csrf = '';
+<% if (config.csrf) { %> Vue.prototype.$csrf = ''; <% } %>
 
 const mixinContext = require.context('@/', false, /^\.\/entry-server\.js$/i);
 
diff --git a/packages/vue-app/lib/index.template.html b/packages/vue-app/lib/index.template.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>{{ meta.inject() }}
 <html data-vue-meta-server-rendered {{{ meta.htmlAttrs.text() }}}>
 <head>
-    <meta name="csrf-token" content="{{ csrfToken }}">
+    <% if (config.csrf) { %> <meta name="csrf-token" content="{{ csrfToken }}"> <% } %>
     {{{ meta.meta.text() + meta.title.text() + meta.link.text() + meta.style.text() + meta.script.text() + meta.noscript.text() }}}
 </head>
 <body {{{ meta.bodyAttrs.text() }}}>

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,8 @@ export default class Builder {`
`36`	`36`	`const compiledApp = compiled({`
`37`	`37`	`config: {`
`38`	`38`	`progressbar: this.globalConfig.progressbar,`
`39`		`- i18n: this.globalConfig.i18n`
	`39`	`+ i18n: this.globalConfig.i18n,`
	`40`	`+ csrf: this.globalConfig.csrf`
`40`	`41`	`}`
`41`	`42`	`});`
`42`	`43`