diff options
Diffstat (limited to 'examples/cross-domain/server.js')
| -rw-r--r-- | examples/cross-domain/server.js | 51 |
1 files changed, 36 insertions, 15 deletions
diff --git a/examples/cross-domain/server.js b/examples/cross-domain/server.js index d0adf32..65117d1 100644 --- a/examples/cross-domain/server.js +++ b/examples/cross-domain/server.js @@ -1,28 +1,46 @@ - var express = require('express'); + +var connect = require('connect'); +// Custom csrf library +var csrf = require('./csrf'); + var app = express.createServer(); var allowCrossDomain = function(req, res, next) { - res.header('Access-Control-Allow-Credentials', true); - res.header('Access-Control-Allow-Origin', req.headers.origin) - res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); - res.header('Access-Control-Allow-Headers', 'X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version'); - next(); + // Added other domains you want the server to give access to + // WARNING - Be careful with what origins you give access to + var allowedHost = [ + 'http://backbonetutorials.com', + 'http://localhost' + ]; + + if(allowedHost.indexOf(req.headers.origin) !== -1) { + res.header('Access-Control-Allow-Credentials', true); + res.header('Access-Control-Allow-Origin', req.headers.origin) + res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); + res.header('Access-Control-Allow-Headers', 'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version'); + next(); + } else { + res.send({auth: false}); + } } app.configure(function() { - app.use(express.cookieParser({cookie: { domain : "localhost" }})); + app.use(express.cookieParser()); app.use(express.session({ secret: 'thomasdavislovessalmon' })); app.use(express.bodyParser()); app.use(allowCrossDomain); + app.use(csrf.check); }); app.get('/session', function(req, res){ - // Check auth + // This checks the current users auth + // It runs before Backbones router is started + // we should return a csrf token for Backbone to use if(typeof req.session.username !== 'undefined'){ - res.send({auth: true, id: req.session.id, username: req.session.username}); + res.send({auth: true, id: req.session.id, username: req.session.username, _csrf: req.session._csrf}); } else { - res.send({auth: false}); + res.send({auth: false, _csrf: req.session._csrf}); } }); @@ -30,16 +48,19 @@ app.post('/session', function(req, res){ // Login // Here you would pull down your user credentials and match them up // to the request - var randomSessionId = Math.ceil(Math.random() * 100000); - req.session.id = randomSessionId; req.session.username = req.body.username; res.send({auth: true, id: req.session.id, username: req.session.username}); }); app.del('/session/:id', function(req, res, next){ - // Logout - req.session.destroy(function(err){ - res.send({auth: false}); + // Logout by clearing the session + req.session.regenerate(function(err){ + // Generate a new csrf token so the user can login again + // This is pretty hacky, connect.csrf isn't built for rest + // I will probably release a restful csrf module + csrf.generate(req, res, function () { + res.send({auth: false, _csrf: req.session._csrf}); + }); }); }); |