Merge pull request #1 from GeneralZero/master

Changed Views to accept CSRF token

Author: GeneralZero

app.js

@@ -69,16 +69,18 @@ app.use(express.urlencoded());
 app.use(expressValidator());
 app.use(express.methodOverride());
 app.use(express.session({
-  secret: 'your secret code',
+  secret: secrets.sessionSecret,
   store: new MongoStore({
     db: mongoose.connection.db,
     auto_reconnect: true
   })
 }));
+app.use(express.csrf());
 app.use(passport.initialize());
 app.use(passport.session());
 app.use(function(req, res, next) {
   res.locals.user = req.user;
+  res.locals.token = req.csrfToken(); 
   next();
 });
 app.use(flash());
@@ -90,6 +92,13 @@ app.use(function(req, res) {
 });
 app.use(express.errorHandler());
 
+/*Helper function for CSRF 
+app.dynamicHelpers({
+    token: function(req, res) {
+        return req.session._csrf;
+    }
+});*/
+
 /**
  * Application routes.
  */

config/secrets.js

@@ -1,6 +1,8 @@
 module.exports = {
   db: 'localhost',
 
+  sessionSecret: "Your Session Secret goes here",
+
   sendgrid: {
     user: 'Your SendGrid Username',
     password: 'Your SendGrid Password'

views/account/login.jade

@@ -24,6 +24,8 @@ block content
       .form-group
         label.control-label(for='username') Password
         input.form-control(type='password', name='password', id='password', placeholder='Password')
+      .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
       .form-group
         button.btn.btn-primary(type='submit')
           i.fa.fa-unlock-alt

views/account/profile.jade

@@ -30,12 +30,15 @@ block content
       label.col-xs-2.control-label(for='website') Website
       .col-xs-4
         input.form-control(type='text', name='website', id='website', value='#{user.profile.website}')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
     .form-group
       .col-xs-offset-2.col-xs-4
         button.btn.btn.btn-primary(type='submit') Update Profile
 
 
 
+
   .page-header
     h3 Change Password
 
@@ -48,6 +51,8 @@ block content
       label.col-xs-3.control-label(for='confirmPassword') Confirm Password
       .col-xs-4
         input.form-control(type='password', name='confirmPassword', id='confirmPassword')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
     .form-group
       .col-xs-offset-3.col-xs-4
         button.btn.btn.btn-primary(type='submit') Change Password
@@ -80,4 +85,4 @@ block content
   if user.github
     p: a.text-danger(href='/account/unlink/github') Unlink your GitHub account
   else
-    p: a(href='/auth/github') Link your GitHub account
+    p: a(href='/auth/github') Link your GitHub account

views/account/signup.jade

@@ -15,6 +15,8 @@ block content
       label.col-sm-3.control-label(for='username') Confirm Password
       .col-sm-7
         input.form-control(type='password', name='confirmPassword', id='confirmPassword', placeholder='Confirm Password')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
     .form-group
       .col-sm-offset-3.col-sm-7
         button.btn.btn-success(type='submit')

views/contact.jade

@@ -17,6 +17,8 @@ block content
       label(class='col-sm-2 control-label', for='contactBody') Body
       .col-sm-8
         textarea.form-control(type='text', name='message', id='message', rows='7')
+    .form-group
+        input.form-control(type='hidden', name='_csrf', value=token) 
     .form-group
       .col-sm-offset-2.col-sm-8
         button.btn.btn-default(type='submit')