From de489f22303ab479e657de4684e6ad35636a6a62 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Fri, 19 Aug 2011 00:38:37 +0300
Subject: [PATCH] more verbose debug logging on CSRF token verification failure
(explain why)
---
browserid/app.js | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
diff --git a/browserid/app.js b/browserid/app.js
index 9902a49f0..15c84111e 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -193,15 +193,32 @@ exports.setup = function(server) {
server.use(function(req, resp, next) {
// only on POSTs
if (req.method == "POST") {
- if (!/^\/wsapi/.test(req.url) || // post requests only allowed to /wsapi
- req.session === undefined || // there must be a session
- typeof req.session.csrf !== 'string' || // the session must have a csrf token
- req.body.csrf != req.session.csrf) // and the token must match what is sent in the post body
- {
+ var denied = false;
+ if (!/^\/wsapi/.test(req.url)) { // post requests only allowed to /wsapi
+ denied = true;
+ logger.warn("CSRF validation failure: POST only allowed to /wsapi urls. not '" + req.url + "'");
+ }
+
+ if (req.session === undefined) { // there must be a session
+ denied = true;
+ logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");
+ }
+
+ // the session must have a csrf token
+ if (typeof req.session.csrf !== 'string') {
+ denied = true;
+ logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
+ }
+
+ // and the token must match what is sent in the post body
+ if (req.body.csrf != req.session.csrf) {
+ denied = true;
// if any of these things are false, then we'll block the request
- logger.warn("CSRF validation failure.");
- return httputils.badRequest(resp, "CSRF violation");
+ logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);
}
+
+ if (denied) return httputils.badRequest(resp, "CSRF violation");
+
}
return next();
});
--
GitLab