arnaucube
/
comunicationLeap
mirror of https://github.com/arnaucube/comunicationLeap.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
2.0 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
comunicationLeap/node_modules/connect/lib/middleware/csrf.js

73 lines
1.7 KiB
Raw Permalink Normal View History

nodejs with express server, leapmotion for movement control, and threejs for 3d render
8 years ago
  1. /*!
  2. * Connect - csrf
  3. * Copyright(c) 2011 Sencha Inc.
  4. * MIT Licensed
  5. */
  7. /**
  8. * Module dependencies.
  9. */
  11. var utils = require('../utils');
  13. /**
  14. * Anti CSRF:
  15. *
  16. * CRSF protection middleware.
  17. *
  18. * By default this middleware generates a token named "_csrf"
  19. * which should be added to requests which mutate
  20. * state, within a hidden form field, query-string etc. This
  21. * token is validated against the visitor's `req.session._csrf`
  22. * property.
  23. *
  24. * The default `value` function checks `req.body` generated
  25. * by the `bodyParser()` middleware, `req.query` generated
  26. * by `query()`, and the "X-CSRF-Token" header field.
  27. *
  28. * This middleware requires session support, thus should be added
  29. * somewhere _below_ `session()` and `cookieParser()`.
  30. *
  31. * Options:
  32. *
  33. * - `value` a function accepting the request, returning the token
  34. *
  35. * @param {Object} options
  36. * @api public
  37. */
  39. module.exports = function csrf(options) {
  40. options = options || {};
  41. var value = options.value || defaultValue;
  43. return function(req, res, next){
  44. // generate CSRF token
  45. var token = req.session._csrf || (req.session._csrf = utils.uid(24));
  47. // ignore these methods
  48. if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next();
  50. // determine value
  51. var val = value(req);
  53. // check
  54. if (val != token) return next(utils.error(403));
  56. next();
  57. }
  58. };
  60. /**
  61. * Default value function, checking the `req.body`
  62. * and `req.query` for the CSRF token.
  63. *
  64. * @param {IncomingMessage} req
  65. * @return {String}
  66. * @api private
  67. */
  69. function defaultValue(req) {
  70. return (req.body && req.body._csrf)
  71. || (req.query && req.query._csrf)
  72. || (req.headers['x-csrf-token']);
  73. }