From c91af91850aaf1ce64da1e6964f653ffa7d34494 Mon Sep 17 00:00:00 2001
From: jysperm <jysperm@gmail.com>
Date: Fri, 10 Oct 2014 00:29:48 +0800
Subject: [PATCH] csrf token

---
 .gitignore                       |  5 +++++
 app.coffee                       | 33 ++++++++++++++++++++++++++++++++
 core/pluggable.coffee            |  1 -
 core/static/script/global.coffee |  2 ++
 core/static/script/layout.coffee |  2 +-
 core/view/layout.jade            |  2 +-
 package.json                     |  5 ++++-
 7 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8d89755..7f2cc09 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,9 @@
 /.vagrant
 /package.box
 
+/.idea
+*~
+.DS_Store
+
 /config.coffee
+/session.key
diff --git a/app.coffee b/app.coffee
index bf3bfbe..19fbe67 100644
--- a/app.coffee
+++ b/app.coffee
@@ -7,6 +7,10 @@ moment = require 'moment-timezone'
 redis = require 'redis'
 express = require 'express'
 {MongoClient} = require 'mongodb'
+session = require 'express-session'
+crypto = require 'crypto'
+csrf = require('csrf')()
+RedisStore = require('connect-redis')(session)
 
 global.app = express()
 
@@ -14,6 +18,7 @@ config = null
 
 exports.checkEnvironment = ->
   config_file_path = path.join __dirname, 'config.coffee'
+  session_key_path = path.join __dirname, 'session.key'
 
   unless fs.existsSync config_file_path
     default_config_file_path = path.join __dirname, './sample/rpvhost.config.coffee'
@@ -27,6 +32,9 @@ exports.checkEnvironment = ->
   if fs.existsSync config.web.listen
     fs.unlinkSync config.web.listen
 
+  unless fs.existsSync session_key_path
+    fs.writeFileSync session_key_path, crypto.randomBytes(48).toString('hex')
+
 exports.run = ->
   exports.checkEnvironment()
 
@@ -76,6 +84,31 @@ exports.run = ->
 
     app.use require 'middleware-injector'
 
+    app.use session
+      store: new RedisStore
+        client: app.redis
+
+      resave: true
+      saveUninitialized: true
+      secret: fs.readFileSync path.join __dirname, 'session.key'
+
+    app.use (req, res, next) ->
+      unless req.session.csrf_secret
+        csrf.secret (err, secret) ->
+          req.session.csrf_secret = secret
+          req.session.csrf_token = csrf.token secret
+          next()
+
+      next()
+
+    app.use (req, res, next) ->
+      unless req.method == 'GET'
+        unless csrf.verify req.session.csrf_secret, req.params.csrf_token
+          res.status(403).send
+            error: 'invalid_csrf_token'
+
+      next()
+
     app.use (req, res, next) ->
       req.res = res
 
diff --git a/core/pluggable.coffee b/core/pluggable.coffee
index 39b9f9c..3d77610 100644
--- a/core/pluggable.coffee
+++ b/core/pluggable.coffee
@@ -148,7 +148,6 @@ exports.createHelpers = (plugin) ->
   plugin.t = (req) ->
     return (name) ->
       full_name = "plugins.#{plugin.name}.#{name}"
-      console.log full_name
 
       args = _.toArray arguments
       args[0] = full_name
diff --git a/core/static/script/global.coffee b/core/static/script/global.coffee
index f901b8a..a3efe02 100644
--- a/core/static/script/global.coffee
+++ b/core/static/script/global.coffee
@@ -27,6 +27,8 @@ $ ->
 
     jQueryMethod = $[options.method ? 'post']
 
+    param.csrf_token = $('body').data 'csrf-token'
+
     jQueryMethod url, JSON.stringify param
     .fail (jqXHR) ->
       if jqXHR.responseJSON?.error
diff --git a/core/static/script/layout.coffee b/core/static/script/layout.coffee
index b179c08..4fab937 100644
--- a/core/static/script/layout.coffee
+++ b/core/static/script/layout.coffee
@@ -2,7 +2,7 @@ $ ->
   client_version = localStorage.getItem 'locale_version'
   latest_version = $('body').data 'locale-version'
 
-  if client_version  == latest_version
+  if client_version == latest_version
     window.i18n_data = JSON.parse localStorage.getItem 'locale_cache'
   else
     $.getJSON "/locale/", (result) ->
diff --git a/core/view/layout.jade b/core/view/layout.jade
index 366aa80..577c155 100644
--- a/core/view/layout.jade
+++ b/core/view/layout.jade
@@ -8,7 +8,7 @@ html
       for hook in selectHook('view.layout.styles')
         link(rel='stylesheet', href=hook.path)
 
-  body(data-username="#{account ? account.username : ''}", data-locale-version=app.i18n.clientLocaleHash(req))
+  body(data-username="#{account ? account.username : ''}", data-locale-version=app.i18n.clientLocaleHash(req), data-csrf-token=req.session.csrf_token)
     header.navbar-fixed-top
       .container
         nav.navbar.navbar-default.navbar-inverse(role='navigation')
diff --git a/package.json b/package.json
index 6b6414c..5b3ec1c 100644
--- a/package.json
+++ b/package.json
@@ -44,6 +44,9 @@
     "underscore": "^1.6.0",
     "json-stable-stringify": "^1.0.0",
     "counter-cache": "^0.1.0",
-    "cookie-parser": "^1.3.3"
+    "cookie-parser": "^1.3.3",
+    "csrf": "^2.0.1",
+    "connect-redis": "^2.0.1",
+    "express-session": "^1.8.2"
   }
 }