started work on #2082

public/src/app.js

@@ -161,9 +161,7 @@ var socket,
 	};
 
 	app.logout = function() {
-		$.post(RELATIVE_PATH + '/logout', {
+		$.post(RELATIVE_PATH + '/logout', function() {
-			_csrf: $('#csrf_token').val()
-		}, function() {
 			window.location.href = RELATIVE_PATH + '/';
 		});
 	};

public/src/forum/admin/index.js

@@ -13,9 +13,7 @@ define('forum/admin/index', function() {
 		socket.on('event:meta.rooms.update', Admin.updateRoomUsage);
 
 		$('#logout-link').on('click', function() {
-			$.post(RELATIVE_PATH + '/logout', {
+			$.post(RELATIVE_PATH + '/logout', function() {
-				_csrf: $('#csrf_token').val()
-			}, function() {
 				window.location.href = RELATIVE_PATH + '/';
 			});
 		});

public/src/modules/uploader.js

@@ -58,9 +58,6 @@ define('uploader', function() {
 				return false;
 			}
 
-			$(this).find('#imageUploadCsrf').val($('#csrf_token').val());
-
-
 			$(this).ajaxSubmit({
 				error: function(xhr) {
 					xhr = maybeParse(xhr);

src/controllers/admin.js

@@ -181,7 +181,9 @@ adminController.languages.get = function(req, res, next) {
 };
 
 adminController.settings.get = function(req, res, next) {
-	res.render('admin/settings', {});
+	res.render('admin/settings', {
+		'csrf': req.csrfToken()
+	});
 };
 
 adminController.logger.get = function(req, res, next) {

src/controllers/index.js

@@ -123,7 +123,7 @@ Controllers.login = function(req, res, next) {
 
 	data.alternate_logins = num_strategies > 0;
 	data.authentication = login_strategies;
-	data.token = res.locals.csrf_token;
+	data.token = req.csrfToken();
 	data.showResetLink = emailersPresent;
 	data.allowLocalLogin = meta.config.allowLocalLogin === undefined || parseInt(meta.config.allowLocalLogin, 10) === 1;
 	data.allowRegistration = meta.config.allowRegistration;
@@ -152,7 +152,7 @@ Controllers.register = function(req, res, next) {
 
 	data.authentication = login_strategies;
 
-	data.token = res.locals.csrf_token;
+	data.token = req.csrfToken();
 	data.minimumUsernameLength = meta.config.minimumUsernameLength;
 	data.maximumUsernameLength = meta.config.maximumUsernameLength;
 	data.minimumPasswordLength = meta.config.minimumPasswordLength;

src/middleware/admin.js

@@ -61,7 +61,7 @@ middleware.buildHeader = function(req, res, next) {
 					}
 				}, function(err, pluginData) {
 					var data = {
-						csrf: res.locals.csrf_token,
+						csrf: req.csrfToken ? req.csrfToken() : undefined,
 						relative_path: nconf.get('relative_path'),
 						plugins: pluginData.custom_header.plugins,
 						authentication: pluginData.custom_header.authentication,

src/middleware/index.js

@@ -20,7 +20,6 @@ var utils = require('./../../public/src/utils'),
 	compression = require('compression'),
 	favicon = require('serve-favicon'),
 	multipart = require('connect-multiparty'),
-	csrf = require('csurf'),
 	session = require('express-session'),
 
 	relativePath,
@@ -107,10 +106,8 @@ module.exports = function(app, data) {
 	}));
 
 	app.use(multipart());
-	app.use(csrf());
 
 	app.use(function (req, res, next) {
-		res.locals.csrf_token = req.csrfToken();
 		res.setHeader('X-Powered-By', 'NodeBB');
 
 		res.setHeader('X-Frame-Options', 'SAMEORIGIN');

src/middleware/middleware.js

@@ -16,6 +16,7 @@ var app,
 	topics = require('./../topics'),
 	messaging = require('../messaging'),
 	ensureLoggedIn = require('connect-ensure-login'),
+	csrf = require('csurf'),
 
 	controllers = {
 		api: require('./../controllers/api')
@@ -33,6 +34,8 @@ middleware.authenticate = function(req, res, next) {
 	}
 };
 
+middleware.requireCSRF = csrf();
+
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn();
 
 middleware.updateLastOnlineTime = function(req, res, next) {
@@ -251,7 +254,7 @@ middleware.renderHeader = function(req, res, callback) {
 				'cache-buster': meta.config['cache-buster'] ? 'v=' + meta.config['cache-buster'] : '',
 				'brand:logo': meta.config['brand:logo'] || '',
 				'brand:logo:display': meta.config['brand:logo']?'':'hide',
-				csrf: res.locals.csrf_token,
+				csrf: req.csrfToken ? req.csrfToken() : undefined,
 				navigation: custom_header.navigation,
 				allowRegistration: meta.config.allowRegistration === undefined || parseInt(meta.config.allowRegistration, 10) === 1,
 				searchEnabled: plugins.hasListeners('filter:search.query')

src/routes/admin.js

@@ -9,8 +9,8 @@ function mainRoutes(app, middleware, controllers) {
 	app.get('/admin/plugins', middleware.admin.buildHeader, controllers.admin.plugins.get);
 	app.get('/api/admin/plugins', controllers.admin.plugins.get);
 
-	app.get('/admin/settings', middleware.admin.buildHeader, controllers.admin.settings.get);
+	app.get('/admin/settings', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.settings.get);
-	app.get('/api/admin/settings', controllers.admin.settings.get);
+	app.get('/api/admin/settings', middleware.requireCSRF, controllers.admin.settings.get);
 
 	app.get('/admin/themes', middleware.admin.buildHeader, controllers.admin.themes.get);
 	app.get('/api/admin/themes', controllers.admin.themes.get);
@@ -57,10 +57,10 @@ function apiRoutes(app, middleware, controllers) {
 	// todo, needs to be in api namespace
 	app.get('/admin/users/csv', middleware.authenticate, controllers.admin.users.getCSV);
 
-	app.post('/admin/category/uploadpicture', middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture);
+	app.post('/admin/category/uploadpicture', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture);
-	app.post('/admin/uploadfavicon', middleware.authenticate, controllers.admin.uploads.uploadFavicon);
+	app.post('/admin/uploadfavicon', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadFavicon);
-	app.post('/admin/uploadlogo', middleware.authenticate, controllers.admin.uploads.uploadLogo);
+	app.post('/admin/uploadlogo', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadLogo);
-	app.post('/admin/uploadgravatardefault', middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault);
+	app.post('/admin/uploadgravatardefault', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault);
 }
 
 function miscRoutes(app, middleware, controllers) {

src/routes/authentication.js

@@ -197,8 +197,8 @@
 				/* End backwards compatibility block */
 
 				app.post('/logout', logout);
-				app.post('/register', register);
+				app.post('/register', middleware.requireCSRF, register);
-				app.post('/login', login);
+				app.post('/login', middleware.requireCSRF, login);
 			});
 		});
 	};

src/routes/index.js

@@ -21,11 +21,11 @@ function mainRoutes(app, middleware, controllers) {
 	app.get('/', middleware.buildHeader, controllers.home);
 	app.get('/api', controllers.home);
 
-	app.get('/login', middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.login);
+	app.get('/login', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.login);
-	app.get('/api/login', middleware.redirectToAccountIfLoggedIn, controllers.login);
+	app.get('/api/login', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, controllers.login);
 
-	app.get('/register', middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.register);
+	app.get('/register', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.register);
-	app.get('/api/register', middleware.redirectToAccountIfLoggedIn, controllers.register);
+	app.get('/api/register', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, controllers.register);
 
 	app.get('/confirm/:code', middleware.buildHeader, controllers.confirmEmail);
 	app.get('/api/confirm/:code', controllers.confirmEmail);