_site/examples/cross-domain/csrf.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


// TODO - Write a better csrf module lol
// hacked this together for the tutorial

var crypto = require('crypto');

var generateToken = function(len) {
  return crypto.randomBytes(Math.ceil(len * 3 / 4))
    .toString('base64')
    .slice(0, len);
};
function defaultValue(req) {
  return (req.body && req.body._csrf)
    || (req.query && req.query._csrf)
    || (req.headers['x-csrf-token']);
}
var checkToken = function(req, res, next){
    var token = req.session._csrf || (req.session._csrf = generateToken(24));
    if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next();
    var val = defaultValue(req);
    if (val != token) return next(function(){
        res.send({auth: false});
    });
    next();
}
var newToken = function(req, res, next) {
  var token = req.session._csrf || (req.session._csrf = generateToken(24));
  next();
}
module.exports = {
    check: checkToken,
    generate: newToken 
};