Remove CSRF for now

mozilla · May 15, 2019 · fd0b791 · fd0b791
1 parent c038a22
commit fd0b791
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 36 deletions.
diff --git a/lib/formHandling.js b/lib/formHandling.js
@@ -16,7 +16,6 @@ function parseForm(req) {
   return new Promise((resolve, reject) => {
     const formFields = {};
     const uniqueName = uuidv4();
-    let csrfChecked = false;
 
     form.parse(req)
       .on('fileBegin', (name, file) => {
@@ -30,14 +29,6 @@ function parseForm(req) {
       })
       .on('field', (name, field) => {
         debug('INCOMING_REQUEST_FIELD', name, field);
-        if (name === '_csrf') {
-          if (req.session.csrf !== field) {
-            return reject(new Error('INVALID_CSRF'));
-          }
-
-          csrfChecked = true;
-          return;
-        }
 
         if (name === 'github' && field && !field.startsWith('@')) {
           field = `@${field}`;
@@ -65,10 +56,6 @@ function parseForm(req) {
         reject(err);
       })
       .on('end', () => {
-        if (!csrfChecked) {
-          return reject(new Error('NO_CSRF_CHECK_ABORTING'));
-        }
-
         const allFieldsValidated = validateFields(formFields);
         if (!allFieldsValidated) {
           return reject(new Error('VALIDATION_FAILED'));

diff --git a/middleware.js b/middleware.js
diff --git a/routes/index.js b/routes/index.js
@@ -2,23 +2,20 @@
 
 const debug = require('debug')('mozilla-fenix-campaign:routes');
 const express = require('express');
-const middleware = require('../middleware');
 const formHandling = require('../lib/formHandling');
 const githubBackend = require('../lib/githubBackend');
 
 const router = express.Router();
 
 const { OWNER, REPO } = process.env;
-const { csrfProtection } = middleware;
 
-router.get('/', csrfProtection, async (req, res) => {
+router.get('/', async (req, res) => {
   debug('INCOMING_REQUEST_INDEX');
   const issue = `https://github.com/${OWNER}/${REPO}/issues/${req.query.issue}`
   res.render('index', {
     success: /true/.test(req.query.success),
     submitted: /true/.test(req.query.submitted),
     issue,
-    csrf: req.session.csrf,
   });
 });
 

diff --git a/views/index.pug b/views/index.pug
@@ -76,7 +76,6 @@ block content
         div(class="input-group")
           label(for="github") Your GitHub account name if you have one<br><span class="field-note">(this will appear in the public GitHub issue)</span>
           input(id="github", type="text", name="github")
-        input(id="csrf", type="hidden", name="_csrf", value=csrf)
         button(type="submit") Create Issue
 
   footer