Skip to content
Snippets Groups Projects
Commit 4534ddc9 authored by Lloyd Hilaiel's avatar Lloyd Hilaiel
Browse files

add logging to CSRF token generation, and rather than throwing an exception...

add logging to CSRF token generation, and rather than throwing an exception when a mismatch is detected, log an error and return a bad request to the client (seems like a better fit than 'not authorized'). issue #173
parent 5141c0ce
No related branches found
No related tags found
No related merge requests found
......@@ -197,6 +197,7 @@ exports.setup = function(server) {
// FIXME: using express-csrf's approach for generating randomness
// not awesome, but probably sufficient for now.
req.session.csrf = crypto.createHash('md5').update('' + new Date().getTime()).digest('hex');
logger.debug("NEW csrf token created: " + req.session.csrf);
}
next();
......@@ -228,14 +229,13 @@ exports.setup = function(server) {
// check CSRF token
server.use(function(req, resp, next) {
// only on POSTs
if (req.method == "POST") {
if (req.body.csrf != req.session.csrf) {
// error, problem with CSRF
throw new Error("CSRF violation - " + req.body.csrf + '/' + req.session.csrf);
}
if (req.method == "POST" && req.body.csrf != req.session.csrf) {
// error, problem with CSRF
logger.warn("CSRF token mismatch. got:" + req.body.csrf + " wanted:" + req.session.csrf);
httputils.badRequest(resp, "CSRF violation");
} else {
next();
}
next();
});
// add middleware to re-write urls if needed
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment