Skip to content

Commit

Permalink
Bug/added csrf protection (#28)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Artlfmj
Artlfmj authored Oct 2, 2023
2 parents 2390c26 + e4a30a8 commit bd3494c
Showing 1 changed file with 17 additions and 32 deletions.
49 changes: 17 additions & 32 deletions src/app.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,18 +89,19 @@ app.use(
app.use(flash());
app.use(passport.initialize());
app.use(passport.session());
//changes
const csrfProtection = csrf({ cookie: true });
app.use(csrfProtection);

app.get("/login", limiter, (req, res) => {
app.get("/login", limiter, csrfProtection, (req, res) => {
if (req.isAuthenticated()) {
return res.redirect("/");
} else {
res.render("login", {
messages: req.flash("error") /*csrfToken: req.csrfToken()*/,
}); // Pass flash messages to the template
res.render("login", { messages: req.flash("error"), csrfToken: req.csrfToken() }); // Pass flash messages to the template
}
});

app.post("/login", limiter, (req, res, next) => {
app.post("/login", limiter, csrfProtection, (req, res, next) => {
/*console.log(req.body, req.csrfToken())
if (!req.body._csrf || req.body._csrf !== req.csrfToken()) {
return res.status(403).send("CSRF token validation failed.");
Expand All @@ -122,12 +123,13 @@ app.post("/login", limiter, (req, res, next) => {
})(req, res, next);
});

app.get("/logout", limiter, (req, res) => {
req.logout((err) => {
app.get('/logout', limiter, (req, res) => {
req.session.destroy(function (err) {
if (err) {
console.error("Error during logout:", err);
} else {
res.redirect('/login');
}
res.redirect("/login");
});
});

Expand All @@ -138,12 +140,11 @@ app.get("/", isAuthenticated, (req, res) => {

app.get("/register", (req, res) => {
if (req.isAuthenticated()) return res.redirect("/");
res.render("register", {
messages: req.flash("error") /*csrfToken: req.csrfToken()*/,
});
console.log(req.csrfToken())
res.render("register", { messages: req.flash("error"), csrfToken: req.csrfToken() });
});

app.post("/register", limiter, async (req, res) => {
app.post("/register", limiter, csrfProtection, async (req, res) => {
/*if (!req.body._csrf || req.body._csrf !== req.csrfToken()) {
return res.status(403).send("CSRF token validation failed.");
}*/
Expand Down Expand Up @@ -175,7 +176,7 @@ app.post("/register", limiter, async (req, res) => {
username: username,
email: email,
password: hashedPassword,
fullName,
fullName
// Additional user profile fields can be added here
});

Expand All @@ -190,14 +191,11 @@ app.post("/register", limiter, async (req, res) => {
}
});

app.get("/profile", limiter, isAuthenticated, async (req, res) => {
res.render("profile", {
user: req.user,
messages: req.flash() /*csrfToken: req.csrfToken()*/,
});
app.get('/profile', isAuthenticated, async (req, res) => {
res.render('profile', { user: req.user, messages: req.flash(), csrfToken: req.csrfToken() });
});

app.post("/profile", limiter, isAuthenticated, async (req, res) => {
app.post('/profile', limiter, isAuthenticated, csrfProtection, async (req, res) => {
/*if (!req.body._csrf || req.body._csrf !== req.csrfToken()) {
return res.status(403).send("CSRF token validation failed.");
}*/
Expand Down Expand Up @@ -230,19 +228,6 @@ app.post("/profile", limiter, isAuthenticated, async (req, res) => {
// Handle the error, display an error message, or redirect to an error page
return res.status(500).send("Error updating profile.");
}

// Update the user's profile fields
user.fullName = fullName;
user.avatarUrl = avatarUrl;
user.bio = bio;
user.location = location;
user.website = website;

// Save the updated user profile
await user.save();

// Redirect to the user's profile page or any other desired page
return res.redirect("/profile");
});

app.use("/courses", limiter, isAuthenticated, async function (req, res) {
Expand Down

0 comments on commit bd3494c

Please sign in to comment.