diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js index 806be9d50b..42d5471d75 100644 --- a/src/middleware/middleware.js +++ b/src/middleware/middleware.js @@ -34,7 +34,7 @@ middleware.authenticate = function(req, res, next) { } }; -middleware.requireCSRF = csrf(); +middleware.applyCSRF = csrf(); middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(); diff --git a/src/routes/admin.js b/src/routes/admin.js index c18cc8665c..04c6169489 100644 --- a/src/routes/admin.js +++ b/src/routes/admin.js @@ -9,8 +9,8 @@ function mainRoutes(app, middleware, controllers) { app.get('/admin/plugins', middleware.admin.buildHeader, controllers.admin.plugins.get); app.get('/api/admin/plugins', controllers.admin.plugins.get); - app.get('/admin/settings', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.settings.get); - app.get('/api/admin/settings', middleware.requireCSRF, controllers.admin.settings.get); + app.get('/admin/settings', middleware.applyCSRF, middleware.admin.buildHeader, controllers.admin.settings.get); + app.get('/api/admin/settings', middleware.applyCSRF, controllers.admin.settings.get); app.get('/admin/themes', middleware.admin.buildHeader, controllers.admin.themes.get); app.get('/api/admin/themes', controllers.admin.themes.get); @@ -43,11 +43,11 @@ function userRoutes(app, middleware, controllers) { } function forumRoutes(app, middleware, controllers) { - app.get('/admin/categories/active', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.active); - app.get('/api/admin/categories/active', middleware.requireCSRF, controllers.admin.categories.active); + app.get('/admin/categories/active', middleware.applyCSRF, middleware.admin.buildHeader, controllers.admin.categories.active); + app.get('/api/admin/categories/active', middleware.applyCSRF, controllers.admin.categories.active); - app.get('/admin/categories/disabled', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.disabled); - app.get('/api/admin/categories/disabled', middleware.requireCSRF, controllers.admin.categories.disabled); + app.get('/admin/categories/disabled', middleware.applyCSRF, middleware.admin.buildHeader, controllers.admin.categories.disabled); + app.get('/api/admin/categories/disabled', middleware.applyCSRF, controllers.admin.categories.disabled); app.get('/admin/tags', middleware.admin.buildHeader, controllers.admin.tags.get); app.get('/api/admin/tags', controllers.admin.tags.get); @@ -57,10 +57,10 @@ function apiRoutes(app, middleware, controllers) { // todo, needs to be in api namespace app.get('/admin/users/csv', middleware.authenticate, controllers.admin.users.getCSV); - app.post('/admin/category/uploadpicture', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture); - app.post('/admin/uploadfavicon', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadFavicon); - app.post('/admin/uploadlogo', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadLogo); - app.post('/admin/uploadgravatardefault', middleware.requireCSRF, middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault); + app.post('/admin/category/uploadpicture', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadCategoryPicture); + app.post('/admin/uploadfavicon', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadFavicon); + app.post('/admin/uploadlogo', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadLogo); + app.post('/admin/uploadgravatardefault', middleware.applyCSRF, middleware.authenticate, controllers.admin.uploads.uploadGravatarDefault); } function miscRoutes(app, middleware, controllers) { diff --git a/src/routes/api.js b/src/routes/api.js index 5a59a2387d..aff69efe9e 100644 --- a/src/routes/api.js +++ b/src/routes/api.js @@ -203,8 +203,8 @@ module.exports = function(app, middleware, controllers) { router.get('/categories/:cid/moderators', getModerators); router.get('/recent/posts/:term?', getRecentPosts); - router.post('/post/upload', middleware.requireCSRF, uploadPost); - router.post('/topic/thumb/upload', middleware.requireCSRF, uploadThumb); - router.post('/user/:userslug/uploadpicture', middleware.requireCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture); + router.post('/post/upload', middleware.applyCSRF, uploadPost); + router.post('/topic/thumb/upload', middleware.applyCSRF, uploadThumb); + router.post('/user/:userslug/uploadpicture', middleware.applyCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture); }; diff --git a/src/routes/authentication.js b/src/routes/authentication.js index 6471814ad5..8925d6a539 100644 --- a/src/routes/authentication.js +++ b/src/routes/authentication.js @@ -197,8 +197,8 @@ /* End backwards compatibility block */ app.post('/logout', logout); - app.post('/register', middleware.requireCSRF, register); - app.post('/login', middleware.requireCSRF, login); + app.post('/register', middleware.applyCSRF, register); + app.post('/login', middleware.applyCSRF, login); }); }); }; diff --git a/src/routes/index.js b/src/routes/index.js index 0789b2474c..85090aaf2e 100644 --- a/src/routes/index.js +++ b/src/routes/index.js @@ -21,11 +21,11 @@ function mainRoutes(app, middleware, controllers) { app.get('/', middleware.buildHeader, controllers.home); app.get('/api', controllers.home); - app.get('/login', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.login); - app.get('/api/login', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, controllers.login); + app.get('/login', middleware.applyCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.login); + app.get('/api/login', middleware.applyCSRF, middleware.redirectToAccountIfLoggedIn, controllers.login); - app.get('/register', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.register); - app.get('/api/register', middleware.requireCSRF, middleware.redirectToAccountIfLoggedIn, controllers.register); + app.get('/register', middleware.applyCSRF, middleware.redirectToAccountIfLoggedIn, middleware.buildHeader, controllers.register); + app.get('/api/register', middleware.applyCSRF, middleware.redirectToAccountIfLoggedIn, controllers.register); app.get('/confirm/:code', middleware.buildHeader, controllers.confirmEmail); app.get('/api/confirm/:code', controllers.confirmEmail); @@ -54,11 +54,11 @@ function staticRoutes(app, middleware, controllers) { function topicRoutes(app, middleware, controllers) { app.get('/api/topic/teaser/:topic_id', controllers.topics.teaser); - app.get('/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get); - app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.checkPostIndex, controllers.topics.get); + app.get('/topic/:topic_id/:slug/:post_index?', middleware.applyCSRF, middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get); + app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.applyCSRF, middleware.checkPostIndex, controllers.topics.get); - app.get('/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.topics.get); - app.get('/api/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.addSlug, controllers.topics.get); + app.get('/topic/:topic_id/:slug?', middleware.applyCSRF, middleware.buildHeader, middleware.addSlug, controllers.topics.get); + app.get('/api/topic/:topic_id/:slug?', middleware.applyCSRF, middleware.addSlug, controllers.topics.get); } function tagRoutes(app, middleware, controllers) { @@ -82,11 +82,11 @@ function categoryRoutes(app, middleware, controllers) { app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal); - app.get('/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get); - app.get('/api/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.checkTopicIndex, controllers.categories.get); + app.get('/category/:category_id/:slug/:topic_index', middleware.applyCSRF, middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get); + app.get('/api/category/:category_id/:slug/:topic_index', middleware.applyCSRF, middleware.checkTopicIndex, controllers.categories.get); - app.get('/category/:category_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.categories.get); - app.get('/api/category/:category_id/:slug?', middleware.requireCSRF, controllers.categories.get); + app.get('/category/:category_id/:slug?', middleware.applyCSRF, middleware.buildHeader, middleware.addSlug, controllers.categories.get); + app.get('/api/category/:category_id/:slug?', middleware.applyCSRF, controllers.categories.get); } function accountRoutes(app, middleware, controllers) { @@ -108,8 +108,8 @@ function accountRoutes(app, middleware, controllers) { app.get('/user/:userslug/topics', middleware.buildHeader, middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics); app.get('/api/user/:userslug/topics', middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics); - app.get('/user/:userslug/edit', middleware.requireCSRF, middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); - app.get('/api/user/:userslug/edit', middleware.requireCSRF, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); + app.get('/user/:userslug/edit', middleware.applyCSRF, middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); + app.get('/api/user/:userslug/edit', middleware.applyCSRF, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit); app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings); app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);