Adding CSURF

giancarlo-sanchez · giancarlo-sanchez · commit a771305fd1b5 · 2020-05-22T18:37:52.000-05:00
diff --git a/index.js b/index.js
@@ -6,7 +6,8 @@ const checkinRouter = require('./routes/checkins')
 const settingsRouter = require('./routes/settings')
 const cookieParser = require('cookie-parser')
 const bodyParser = require('body-parser');
-const { asyncHandler } = require("./routes/utils")
+const { asyncHandler } = require("./routes/utils");
+const csrf = require("csurf");
 
 // Create the Express app.
 const app = express();
@@ -17,6 +18,7 @@ app.use(express.static(path.join(__dirname, "public")));
 app.use(express.json());
 app.use(cookieParser());
 app.use(bodyParser.urlencoded({ extended: false }));
+const csrfProtection = csrf({ cookie: true });
 app.use("/users", userRouter);
 app.use("/checkins", checkinRouter);
 app.use("/settings", settingsRouter);
@@ -189,11 +191,11 @@ app.get('/breweries/:id(\\d+)', asyncHandler(async (req, res) => {
 
 app.get("/create", (req, res) => { res.render("create") });
 
-app.get("/sign-up", (req, res) => {
-  res.render("sign-up");
+app.get("/sign-up",csrfProtection, (req, res) => {
+  res.render("sign-up",{csrfToken: req.csrfToken()});
 });
-app.get("/log-in", (req, res) => {
-  res.render("log-in")
+app.get("/log-in",csrfProtection, (req, res) => {
+  res.render("log-in",{csrfToken: req.csrfToken()})
 })
 
 app.get("/profile", (req, res) => {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -14,6 +14,7 @@
   "dependencies": {
     "body-parser": "^1.19.0",
     "cookie-parser": "^1.4.5",
+    "csurf": "^1.11.0",
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
     "express-validator": "^6.5.0",
diff --git a/routes/users.js b/routes/users.js
@@ -1,12 +1,14 @@
 const express = require('express');
 const {asyncHandler } = require('./utils');
 const fetch = require('node-fetch');
+const csrf = require("csurf");
+const csrfProtection = csrf({ cookie: true });
 
 const router = express.Router();
 
-router.post("/sign-up", asyncHandler(async (req,res)=>{
+router.post("/sign-up",csrfProtection, asyncHandler(async (req,res)=>{
     const body = req.body;
-
+    console.log(body);
     const backendRes = await fetch(`${process.env.BACKEND_URL}/users/`, {
       method: "POST",
       body: JSON.stringify(body),
diff --git a/views/log-in.pug b/views/log-in.pug
@@ -11,6 +11,7 @@ block content
       h2.log-in__logo TAPPDIN
           p.log-in__quote Drink Responsibly
       form(class="log-in-form" method="post" action="/users/log-in")
+        input(type="hidden" name="_csrf" value=csrfToken)
         include form-elements.pug
         button.btn.btn-primary(type='submit') Log In
       a(href='/sign-up') Don't have an account? Sign up here.
diff --git a/views/sign-up.pug b/views/sign-up.pug
@@ -9,6 +9,7 @@ block content
                     p.sign-up__quote Drink Responsibly
                 //- TODO: update w more info for Tappdin
                 form(class="sign-up-form" method="post" action="/users/sign-up")
+                    input(type="hidden" name="_csrf" value=csrfToken)
                     .form-group
                         label(for='username') Username
                         input#username.form-control(type='text' name='username' placeholder="Username" required)
