This repository has been archived by the owner on Jan 14, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
/
middleware.js
115 lines (99 loc) · 2.81 KB
/
middleware.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
var env = require('./lib/environment');
var util = require('./lib/util');
var logger = require('./lib/logger');
var express = require('express');
var flash = require('connect-flash');
exports.cookieParser = function () {
var secret = env.get('secret');
return express.cookieParser(secret);
};
exports.getSessionStore = function getSessionStore(env) {
const redisOpts = env.get('redis');
const memcachedOpts = env.get('memcached');
if (memcachedOpts) {
const MemcachedStore = require('connect-memcached')(express);
return new MemcachedStore(memcachedOpts);
}
const RedisStore = require('connect-redis')(express);
redisOpts.db = env.get('redis_session_db');
var store = new RedisStore(redisOpts);
store.client.on('error', function(err) {
console.error("REDIS ERROR", err);
});
return store;
};
exports.session = function (sessionStore) {
return express.session({
key: 'openbadger.sid',
store: sessionStore,
secret: env.get('secret'),
});
};
exports.cors = function cors(options) {
options = options || {};
var whitelist = parseWhitelist(options.whitelist);
return function (req, res, next) {
if (isExempt(whitelist, req.url))
res.header("Access-Control-Allow-Origin", "*");
return next();
};
};
exports.noCache = function noCache(options) {
options = options || {};
var whitelist = parseWhitelist(options.whitelist);
return function (req, res, next) {
if (!isExempt(whitelist, req.url))
res.header("Cache-Control", "no-cache");
return next();
};
};
/** Adapted from connect/lib/middleware/csrf.js */
exports.csrf = function csrf(options) {
options = options || {}
var whitelist = parseWhitelist(options.whitelist);
function getToken(req) {
return (req.body && req.body.csrf)
|| (req.query && req.query.csrf)
|| (req.headers['x-csrf-token']);
}
return function(req, res, next){
var token, val, err;
if (isExempt(whitelist, req.url))
return next();
// generate CSRF token
token = req.session._csrf || (req.session._csrf = util.uid(24));
// ignore these methods
if ('GET' === req.method ||
'HEAD' === req.method ||
'OPTIONS' === req.method)
return next();
// determine value
val = getToken(req);
// check
if (val !== token) {
logger.warn(util.format('CSRF failure at %s', req.url));
return res.send(403);
}
return next();
}
};
function isExempt(whitelist, path) {
var i = whitelist.length;
while (i--) {
if (whitelist[i].test(path))
return true;
}
return false;
}
function parseWhitelist(array) {
if (!array)
return [];
return array.map(function (entry) {
if (typeof entry === 'string') {
entry = entry.replace('*', '.*?');
return RegExp('^' + entry + '$');
}
return entry;
});
}
exports.flash = flash;