-
Notifications
You must be signed in to change notification settings - Fork 1.9k
/
Copy pathindex.js
118 lines (95 loc) · 3.35 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
module.exports = function(sails) {
/**
* Module dependencies.
*/
var _ = require('lodash'),
util = require('sails-util'),
Hook = require('../../index');
/**
* Expose hook definition
*/
return {
defaults: {
// CSRF middleware protection, all non-GET requests must send '_csrf' parmeter
// _csrf is a parameter for views, and is also available via GET at /csrfToken
// TODO: move into csrf hook
csrf: false
},
configure: function () {
if (sails.config.csrf === true) {
sails.config.csrf = {
grantTokenViaAjax: true,
protectionEnabled: true,
origin: '-',
routesDisabled: '-'
};
}
else if (sails.config.csrf === false) {
sails.config.csrf = {
grantTokenViaAjax: false,
protectionEnabled: false,
origin: '-',
routesDisabled: '-'
};
}
// If user provides ANY object (including empty object), enable all default
// csrf protection.
else {
_.defaults(typeof sails.config.csrf === 'object' ? sails.config.csrf : {}, {
grantTokenViaAjax: true,
protectionEnabled: true,
origin: '-',
routesDisabled: '-'
});
}
// Add the csrfToken directly to the config'd routes, so that the CORS hook can process it
sails.config.routes["/csrfToken"] = {target: csrfToken, cors: {origin: sails.config.csrf.origin, credentials:true}};
},
initialize: function(cb) {
// Add res.view() method to compatible middleware
sails.on('router:before', function () {
sails.router.bind('/*', function(req, res, next) {
var allowCrossOriginCSRF = sails.config.csrf.origin.split(',').indexOf(req.headers.origin) > -1;
if (sails.config.csrf.protectionEnabled) {
var connect = require('express/node_modules/connect');
return connect.csrf()(req, res, function(err) {
var isRouteDisabled = sails.config.csrf.routesDisabled.split(',').indexOf(req.path) > -1;
if (util.isSameOrigin(req) || allowCrossOriginCSRF) {
res.locals._csrf = req.csrfToken();
} else {
res.locals._csrf = null;
}
if (err && !isRouteDisabled) {
// Return an Access-Control-Allow-Origin header in case this is a xdomain request
if (req.headers.origin) {
res.set('Access-Control-Allow-Origin', req.headers.origin);
res.set('Access-Control-Allow-Credentials', true);
}
return res.forbidden("CSRF mismatch");
} else {
return next();
}
});
}
// Always ok
res.locals._csrf = null;
next();
}, null, {_middlewareType: 'CSRF HOOK: CSRF'});
});
sails.on('router:after', function() {
sails.router.bind('/csrfToken', csrfToken, 'get', {cors: {origin: sails.config.csrf.origin, credentials: true}});
});
cb();
}
};
};
function csrfToken (req, res, next) {
// Allow this endpoint to be disabled by setting:
// sails.config.csrf = { grantTokenViaAjax: false }
if (!sails.config.csrf.grantTokenViaAjax) {
return next();
}
return res.json({
_csrf: res.locals._csrf
});
}