From 59d26d6fc93767d0e39062fcfc45a68f8d7b58be Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@designcreateplay.com>
Date: Thu, 20 Jun 2013 12:41:22 -0400
Subject: [PATCH] implementing express.csrf for login and register pages (the
 only places where HTTP forms are used). Fixes #8

---
 public/templates/login.tpl    |  1 +
 public/templates/register.tpl |  1 +
 src/webserver.js              | 16 ++++++++++++----
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/public/templates/login.tpl b/public/templates/login.tpl
index ab93ba3c21..33b91ae51e 100644
--- a/public/templates/login.tpl
+++ b/public/templates/login.tpl
@@ -9,6 +9,7 @@
 		<form method="post" action="/login">
 			<label>Username</label><input type="text" placeholder="Enter Username" name="username" id="username" /><br />
 			<label>Password</label><input type="password" placeholder="Enter Password" name="password" id="password" /><br />
+			<input type="hidden" name="_csrf" value="{token}" />
 			<button class="btn btn-primary" id="login" type="submit">Login</button> &nbsp; <a href="/reset">Forgot Password?</a>
 		</form>
 	</div>
diff --git a/public/templates/register.tpl b/public/templates/register.tpl
index 2bdfb53828..a27ba78cd5 100644
--- a/public/templates/register.tpl
+++ b/public/templates/register.tpl
@@ -5,6 +5,7 @@
 			<label for="email">Email Address</label><input type="email" name="email" placeholder="Enter Email Address" id="email" /> <span id="email-notify" class="label label-important"></span><br />
 			<label for="username">Username</label><input type="text" name="username" placeholder="Enter Username" id="username" /> <span id="username-notify" class="label label-success"></span> <br />
 			<label for="password">Password</label><input type="password" name="password" placeholder="Enter Password" id="password" /> <span id="password-notify" class="label label-important"></span> <br />
+			<input type="hidden" name="_csrf" value="{token}" />
 			<button class="btn btn-primary" id="register" type="submit">Register Now</button>
 		</form>
 	</div>
diff --git a/src/webserver.js b/src/webserver.js
index a4f9592d2b..13ffa36297 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -44,7 +44,11 @@ var express = require('express'),
 		secret: global.config.secret,
 		key: 'express.sid'
 	}));
-
+	app.use(express.csrf());
+	app.use(function(req, res, next) {
+		res.locals.csrf_token = req.session._csrf;
+		next();
+	});
 
 	module.exports.init = function() {
 		templates = global.templates;
@@ -204,6 +208,8 @@ var express = require('express'),
 						}
 					}
 
+					data.token = res.locals.csrf_token;
+
 					res.send(JSON.stringify(data));
 				break;
 			case 'register' :
@@ -226,6 +232,8 @@ var express = require('express'),
 						}
 					}
 
+					data.token = res.locals.csrf_token;
+
 					res.send(JSON.stringify(data));
 				break;
 			case 'topic' :
@@ -282,10 +290,10 @@ var express = require('express'),
 	app.get('/api/:method/:id/:section?', api_method);
 	app.get('/api/:method/:id*', api_method);
 
-	app.get('/test', function(req, res) {
-		var ThreadTools = require('./threadTools.js');
-		ThreadTools.notify_followers(3);
+	app.all('/test', function(req, res) {
 		res.send();
+		// console.log('CSRF is: ', res.locals.token);
+		// res.send('<form method="POST" action="/test"><input type="hidden" name="_csrf" value="' + res.locals.token + '" /><button type="submit">go</button></form>');
 	});