csrf middleware

nhim175 · Sep 29, 2018 · 8c0dae0 · 8c0dae0
1 parent 100b7e9
commit 8c0dae0
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 2 deletions.
diff --git a/controllers/transfer.controller.js b/controllers/transfer.controller.js
@@ -0,0 +1,20 @@
+var shortid = require('shortid');
+
+var db = require('../db');
+
+module.exports.create = function(req, res, next) {
+  res.render('transfer/create', {
+    csrfToken: req.csrfToken()
+  });
+};
+
+module.exports.postCreate = function(req, res, next) {
+  var data = {
+    id: shortid.generate(),
+    amount: parseInt(req.body.amount),
+    accountId: req.body.accountId,
+    userId: req.signedCookies.userId
+  };
+  db.get('transfers').push(data).write();
+  res.redirect('/transfer/create');
+};
diff --git a/db.js b/db.js
@@ -5,7 +5,11 @@ var adapter = new FileSync('db.json');
 db = low(adapter);
 
 // Set some defaults (required if your JSON file is empty)
-db.defaults({ users: [], sessions: [] })
+db.defaults({
+  users: [],
+  sessions: [],
+  transfers: []
+})
   .write();
 
 module.exports = db;
diff --git a/index.js b/index.js
@@ -2,12 +2,14 @@ require('dotenv').config();
 
 var express = require('express');
 var bodyParser = require('body-parser');
-var cookieParser = require('cookie-parser')
+var cookieParser = require('cookie-parser');
+var csurf = require('csurf');
 
 var userRoute = require('./routes/user.route');
 var authRoute = require('./routes/auth.route');
 var productRoute = require('./routes/product.route');
 var cartRoute = require('./routes/cart.route');
+var transferRoute = require('./routes/transfer.route');
 
 var authMiddleware = require('./middlewares/auth.middleware');
 var sessionMiddleware = require('./middlewares/session.middleware');
@@ -22,6 +24,7 @@ app.use(bodyParser.json()); // for parsing application/json
 app.use(bodyParser.urlencoded({ extended: true })); // for parsing application/x-www-form-urlencoded
 app.use(cookieParser(process.env.SESSION_SECRET));
 app.use(sessionMiddleware);
+app.use(csurf({ cookie: true }));
 
 app.use(express.static('public'));
 
@@ -36,6 +39,7 @@ app.use('/users', authMiddleware.requireAuth, userRoute);
 app.use('/auth', authRoute);
 app.use('/products', productRoute);
 app.use('/cart', cartRoute);
+app.use('/transfer', authMiddleware.requireAuth, transferRoute);
 
 app.listen(port, function() {
   console.log('Server listening on port ' + port);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -12,6 +12,7 @@
   "dependencies": {
     "body-parser": "^1.18.3",
     "cookie-parser": "^1.4.3",
+    "csurf": "^1.9.0",
     "dotenv": "^6.0.0",
     "express": "^4.16.3",
     "lowdb": "^1.0.0",

diff --git a/routes/transfer.route.js b/routes/transfer.route.js
@@ -0,0 +1,10 @@
+var express = require('express');
+
+var controller = require('../controllers/transfer.controller');
+
+var router = express.Router();
+
+router.get('/create', controller.create);
+router.post('/create', controller.postCreate);
+
+module.exports = router;
diff --git a/views/transfer/create.pug b/views/transfer/create.pug
@@ -0,0 +1,17 @@
+extends ../layouts/common.pug
+
+block content
+  h1 New transfer
+
+  form(method="POST")
+    input(type="hidden", name="_csrf", value=csrfToken)
+
+    .form-group
+      label(for="account") Account
+      input#account.form-control(name="accountId", type="text")
+
+    .form-group
+      label(for="amount") Amount
+      input#amount.form-control(name="amount", type="number")
+
+    button.btn.btn-primary Transfer