csrf token

.gitignore

@@ -3,4 +3,9 @@
 /.vagrant
 /package.box
 
+/.idea
+*~
+.DS_Store
+
 /config.coffee
+/session.key

app.coffee

@@ -7,6 +7,10 @@ moment = require 'moment-timezone'
 redis = require 'redis'
 express = require 'express'
 {MongoClient} = require 'mongodb'
+session = require 'express-session'
+crypto = require 'crypto'
+csrf = require('csrf')()
+RedisStore = require('connect-redis')(session)
 
 global.app = express()
 
@@ -14,6 +18,7 @@ config = null
 
 exports.checkEnvironment = ->
   config_file_path = path.join __dirname, 'config.coffee'
+  session_key_path = path.join __dirname, 'session.key'
 
   unless fs.existsSync config_file_path
     default_config_file_path = path.join __dirname, './sample/rpvhost.config.coffee'
@@ -27,6 +32,9 @@ exports.checkEnvironment = ->
   if fs.existsSync config.web.listen
     fs.unlinkSync config.web.listen
 
+  unless fs.existsSync session_key_path
+    fs.writeFileSync session_key_path, crypto.randomBytes(48).toString('hex')
+
 exports.run = ->
   exports.checkEnvironment()
 
@@ -76,6 +84,31 @@ exports.run = ->
 
     app.use require 'middleware-injector'
 
+    app.use session
+      store: new RedisStore
+        client: app.redis
+
+      resave: true
+      saveUninitialized: true
+      secret: fs.readFileSync path.join __dirname, 'session.key'
+
+    app.use (req, res, next) ->
+      unless req.session.csrf_secret
+        csrf.secret (err, secret) ->
+          req.session.csrf_secret = secret
+          req.session.csrf_token = csrf.token secret
+          next()
+
+      next()
+
+    app.use (req, res, next) ->
+      unless req.method == 'GET'
+        unless csrf.verify req.session.csrf_secret, req.params.csrf_token
+          res.status(403).send
+            error: 'invalid_csrf_token'
+
+      next()
+
     app.use (req, res, next) ->
       req.res = res
 

core/pluggable.coffee

@@ -148,7 +148,6 @@ exports.createHelpers = (plugin) ->
   plugin.t = (req) ->
     return (name) ->
       full_name = "plugins.#{plugin.name}.#{name}"
-      console.log full_name
 
       args = _.toArray arguments
       args[0] = full_name

core/static/script/global.coffee

@@ -27,6 +27,8 @@ $ ->
 
     jQueryMethod = $[options.method ? 'post']
 
+    param.csrf_token = $('body').data 'csrf-token'
+
     jQueryMethod url, JSON.stringify param
     .fail (jqXHR) ->
       if jqXHR.responseJSON?.error

core/static/script/layout.coffee

@@ -2,7 +2,7 @@ $ ->
   client_version = localStorage.getItem 'locale_version'
   latest_version = $('body').data 'locale-version'
 
-  if client_version  == latest_version
+  if client_version == latest_version
     window.i18n_data = JSON.parse localStorage.getItem 'locale_cache'
   else
     $.getJSON "/locale/", (result) ->

core/view/layout.jade

@@ -8,7 +8,7 @@ html
       for hook in selectHook('view.layout.styles')
         link(rel='stylesheet', href=hook.path)
 
-  body(data-username="#{account ? account.username : ''}", data-locale-version=app.i18n.clientLocaleHash(req))
+  body(data-username="#{account ? account.username : ''}", data-locale-version=app.i18n.clientLocaleHash(req), data-csrf-token=req.session.csrf_token)
     header.navbar-fixed-top
       .container
         nav.navbar.navbar-default.navbar-inverse(role='navigation')

package.json

@@ -44,6 +44,9 @@
     "underscore": "^1.6.0",
     "json-stable-stringify": "^1.0.0",
     "counter-cache": "^0.1.0",
-    "cookie-parser": "^1.3.3"
+    "cookie-parser": "^1.3.3",
+    "csrf": "^2.0.1",
+    "connect-redis": "^2.0.1",
+    "express-session": "^1.8.2"
   }
 }