added csrf to ajax calls

public/src/forum/account.js

@@ -26,7 +26,8 @@
 		}
 		
 		followBtn.on('click', function() {
-			$.post('/users/follow', {uid: theirid},
+			
+			$.post('/users/follow', {uid: theirid, _csrf:$('#csrf_token').val()},
 				function(data) {
 					followBtn.remove();
 					$('#user-action-alert').html('You are now following'+ $('.account-username').text() +'!').show();

public/src/forum/accountedit.js

@@ -80,7 +80,8 @@ $(document).ready(function() {
 	function changeUserPicture(type) { 
 		var userData = {
             uid: $('#inputUID').val(),
-			type: type
+			type: type,
+			_csrf:$('#csrf_token').val()
         };
             
 		$.post('/users/changepicture',
@@ -103,6 +104,7 @@ $(document).ready(function() {
             birthday:$('#inputBirthday').val(),
             location:$('#inputLocation').val(),
             signature:$('#inputSignature').val(),
+            _csrf:$('#csrf_token').val()
         };
             
 		$.post('/users/doedit',

public/src/forum/following.js

@@ -21,7 +21,7 @@
 				var removeBtn = $(this);
 				var followingUid = $(this).attr('followingUid');
 				
-				$.post('/users/unfollow', {uid: followingUid},
+				$.post('/users/unfollow', {uid: followingUid, _csrf:$('#csrf_token').val()},
 	            	function(data) {
 	            		removeBtn.parent().remove();
 					}                

public/templates/admin/users.tpl

@@ -92,7 +92,8 @@
 			var uid = parent.attr('data-uid');
 
 			var userData = {
-				uid:uid
+				uid:uid,
+				_csrf:$('#csrf_token').val()
 			};
 			
 			$.post('/admin/makeadmin',
@@ -122,7 +123,8 @@
 			var uid = parent.attr('data-uid');
 
 			var userData = {
-				uid:uid
+				uid:uid,
+				_csrf:$('#csrf_token').val()
 			};
 			
 			$.post('/admin/removeadmin',

public/templates/header.tpl

@@ -98,4 +98,7 @@
 
 	<div id="alert_window"></div>
 
-	<div class="container" id="content">
+	<input id="csrf_token" type="hidden" template-variable="csrf" value="{csrf}" />
+
+	<div class="container" id="content">
+

src/routes/authentication.js

@@ -86,7 +86,7 @@
 			console.log('info: [Auth] Session ' + req.sessionID + ' logout (uid: ' + global.uid + ')');
 			user_module.logout(req.sessionID, function(logout) {
 				req.logout();
-				res.send(app.build_header() + templates['logout'] + templates['footer']);
+				res.send(app.build_header(res) + templates['logout'] + templates['footer']);
 			});
 		});
 
@@ -120,11 +120,11 @@
 
 
 		app.get('/reset/:code', function(req, res) {
-			res.send(app.build_header() + templates['reset_code'].parse({ reset_code: req.params.code }) + templates['footer']);
+			res.send(app.build_header(res) + templates['reset_code'].parse({ reset_code: req.params.code }) + templates['footer']);
 		});
 
 		app.get('/reset', function(req, res) {
-			res.send(app.build_header() + templates['reset'] + templates['footer']);
+			res.send(app.build_header(res) + templates['reset'] + templates['footer']);
 		});
 
 

src/routes/user.js

@@ -23,9 +23,8 @@ var user = require('./../user.js'),
 		});
 
 		app.get('/users', function(req, res) {
-			console.log('derp');
 			user.getUserList(function(data) {
-				res.send(app.build_header() + app.create_route("users", "users") + templates['footer']);
+				res.send(app.build_header(res) + app.create_route("users", "users") + templates['footer']);
 			});
 		});
 
@@ -43,7 +42,7 @@ var user = require('./../user.js'),
 				
 				user.getUserData(uid, function(data) {
 					if(data) {
-						res.send(app.build_header() + app.create_route('users/'+data.username, 'account')  + templates['footer']);
+						res.send(app.build_header(res) + app.create_route('users/'+data.username, 'account')  + templates['footer']);
 					}
 					else {
 						res.redirect('/404');
@@ -60,7 +59,7 @@ var user = require('./../user.js'),
 			user.getUserField(req.user.uid, 'username', function(username) {
 			
 				if(req.params.username && username === req.params.username)
-					res.send(app.build_header() + app.create_route('users/'+req.params.username+'/edit','accountedit') + templates['footer']);
+					res.send(app.build_header(res) + app.create_route('users/'+req.params.username+'/edit','accountedit') + templates['footer']);
 				else
 					return res.redirect('/404');
 			});	
@@ -223,7 +222,7 @@ var user = require('./../user.js'),
 			if(!req.user)
 				return res.redirect('/403');
 			
-			res.send(app.build_header() + app.create_route('users/'+req.params.username+'/following','following') + templates['footer']);
+			res.send(app.build_header(res) + app.create_route('users/'+req.params.username+'/following','following') + templates['footer']);
 		});
 		
 		app.get('/users/:username/followers', function(req, res) {
@@ -231,11 +230,11 @@ var user = require('./../user.js'),
 			if(!req.user)
 				return res.redirect('/403');
 			
-			res.send(app.build_header() + app.create_route('users/'+req.params.username+'/followers','followers') + templates['footer']);
+			res.send(app.build_header(res) + app.create_route('users/'+req.params.username+'/followers','followers') + templates['footer']);
 		});
 
 		function api_method(req, res) {
-			console.log('derp');
+
 			var callerUID = req.user?req.user.uid : 0;
 	
 			if (!req.params.section && !req.params.username) {

src/webserver.js

@@ -23,10 +23,11 @@ var express = require('express'),
 (function(app) {
 	var templates = null;
 	
-	app.build_header = function() {
+	app.build_header = function(res) {
 		return templates['header'].parse({
 			cssSrc: global.config['theme:src'] || '/vendor/bootstrap/css/bootstrap.min.css',
-			title: global.config['title'] || 'NodeBB'
+			title: global.config['title'] || 'NodeBB',
+			csrf:res.locals.csrf_token
 		});
 	};
 
@@ -94,7 +95,7 @@ var express = require('express'),
 						return;
 					}
 					
-					res.send(app.build_header() + app.create_route(route) + templates['footer']);
+					res.send(app.build_header(res) + app.create_route(route) + templates['footer']);
 				});
 			}(routes[i]));
 		}
@@ -104,7 +105,7 @@ var express = require('express'),
 	app.get('/', function(req, res) {
 		categories.getAllCategories(function(returnData) {
 			res.send(
-				app.build_header() +
+				app.build_header(res) +
 				'\n\t<noscript>\n' + templates['noscript/header'] + templates['noscript/home'].parse(returnData) + '\n\t</noscript>' +
 				app.create_route('') +
 				templates['footer']
@@ -132,7 +133,7 @@ var express = require('express'),
 		var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');
 		topics.getTopicById(tid, ((req.user) ? req.user.uid : 0), function(topic) {
 			res.send(
-				app.build_header() +
+				app.build_header(res) +
 				'\n\t<noscript>\n' + templates['noscript/header'] + templates['noscript/topic'].parse(topic) + '\n\t</noscript>' +
 				'\n\t<script>templates.ready(function(){ajaxify.go("topic/' + topic_url + '");});</script>' +
 				templates['footer']
@@ -160,7 +161,7 @@ var express = require('express'),
 		categories.getCategoryById(cid, 0, function(returnData) {
 			console.log(returnData);
 			res.send(
-				app.build_header() +
+				app.build_header(res) +
 				'\n\t<noscript>\n' + templates['noscript/header'] + templates['noscript/category'].parse(returnData) + '\n\t</noscript>' +
 				'\n\t<script>templates.ready(function(){ajaxify.go("category/' + category_url + '");});</script>' +
 				templates['footer']
@@ -169,7 +170,7 @@ var express = require('express'),
 	});
 
 	app.get('/confirm/:code', function(req, res) {
-		res.send(app.build_header() + '<script>templates.ready(function(){ajaxify.go("confirm/' + req.params.code + '");});</script>' + templates['footer']);
+		res.send(app.build_header(res) + '<script>templates.ready(function(){ajaxify.go("confirm/' + req.params.code + '");});</script>' + templates['footer']);
 	});
 	
 	// These functions are called via ajax once the initial page is loaded to populate templates with data