3part bind csrf

周少峰
Commit fa25834dd42ca41cb136c6c2faee4f01a498f979 1 parent b504ca5f
Showing 5 changed files with 20 additions and 2 deletions
apps/home/router.js
apps/home/views/action/home/user/index.hbs
doraemon/middleware/csrf.js
package.json
public/js/home/3party-bind.js
--- a/apps/home/router.js
View file @fa25834
+++ b/apps/home/router.js
View file @fa25834
@@ -9,6 +9,8 @@ const express = require('express');
 const router = express.Router(); // eslint-disable-line
 const cRoot = './controllers';
 const captcha = require('../passport/controllers/captcha');
+ const csrf = require('../../doraemon/middleware/csrf')();
+ 
 
 const newUserController = require(`${cRoot}/new-user`);
 
@@ -161,7 +163,7 @@ router.get('/orders/refundreason', ordersController.refundReason);
 
 
 // router.get('/coupons', CouponsController.index);
- router.get('/user', tabsMiddleware.getCommonHeader, UserController.index);
+ router.get('/user', csrf, tabsMiddleware.getCommonHeader, UserController.index);
 
 router.post('/user/edituserinfo', UserController.editUserInfo);
 
@@ -202,7 +204,7 @@ router.get('/bind/douban', bindController.douban.login);
 router.get('/bind/renren', bindController.renren.login);
 router.get('/bind/renren/callback', bindController.renren.callback);
 
- router.post('/cancelbind/:type', bindController.cancelBind);
+ router.post('/cancelbind/:type', csrf, bindController.cancelBind);
 
 // 账号安全
 router.get('/account', tabsMiddleware.getCommonHeader, AccountController.index);
--- a/apps/home/views/action/home/user/index.hbs
View file @fa25834
+++ b/apps/home/views/action/home/user/index.hbs
View file @fa25834
@@ -12,6 +12,7 @@
                {{> home/edit/habbit}}
                {{> home/edit/favorite}}
             </div>
+             <input type="hidden" name="_csrf" value="{{../csrfToken}}" />
         </div>
         {{#if isShowTip}}
         <p class="help-us">
--- a/doraemon/middleware/csrf.js 0 → 100644
View file @fa25834
+++ b/doraemon/middleware/csrf.js 0 → 100644
View file @fa25834
+ 'use strict';
+ 
+ const csrf = require('csurf');
+ const csrfInit = csrf();
+ const csrfToken = (req, res, next) => {
+     res.locals.csrfToken = req.csrfToken();
+     next();
+ }
+ 
+ module.exports = () => {
+     return [csrfInit, csrfToken];
+ }
\ No newline at end of file
--- a/package.json
View file @fa25834
+++ b/package.json
View file @fa25834
@@ -29,6 +29,7 @@
     "connect-memcached": "^0.2.0",
     "connect-multiparty": "^2.0.0",
     "cookie-parser": "^1.4.3",
+     "csurf": "^1.9.0",
     "express": "^4.13.1",
     "lodash": "^4.13.1",
     "md5": "^2.1.0",
--- a/public/js/home/3party-bind.js
View file @fa25834
+++ b/public/js/home/3party-bind.js
View file @fa25834
@@ -12,6 +12,7 @@ var labelMap = {
     alipay: '支付宝',
     wechat: '微信'
 };
+ var csrfToken = $('input[name=_csrf]').val();
 
 document.domain = 'yohobuy.com';
 
@@ -144,6 +145,7 @@ $('#Y_bindAccount').on('click', '.account-item .cancel-bind-btn', function() {
             $.ajax({
                 url: url,
                 type: 'POST',
+                 data: {_csrf: csrfToken},
                 dataType: 'json'
             })
             .then(function(data) {