sync/lib/web/csrf.js

/*
 * Adapted from https://github.com/expressjs/csurf
 */

var csrf = require("csrf");
var createError = require("http-errors");

var tokens = csrf();

exports.init = function csrfInit(req, res, next) {
    var secret = req.signedCookies._csrf;
    if (!secret) {
        secret = tokens.secretSync();
        res.cookie("_csrf", secret,  { signed: true, httpOnly: true });
    }

    var token;

    req.csrfToken = function csrfToken() {
        if (token) {
            return token;
        }

        token = tokens.create(secret);
        return token;
    };

    next();
};

exports.verify = function csrfVerify(req) {
    var secret = req.signedCookies._csrf;
    var token = req.body._csrf || req.query._csrf;

    if (!tokens.verify(secret, token)) {
        throw createError(403, 'invalid csrf token', {
            code: 'EBADCSRFTOKEN'
        });
    }
};
Add csrf prevention 2015-02-23 00:15:22 +00:00			`/*`
			`* Adapted from https://github.com/expressjs/csurf`
			`*/`

			`var csrf = require("csrf");`
			`var createError = require("http-errors");`

			`var tokens = csrf();`

			`exports.init = function csrfInit(req, res, next) {`
			`var secret = req.signedCookies._csrf;`
			`if (!secret) {`
			`secret = tokens.secretSync();`
			`res.cookie("_csrf", secret, { signed: true, httpOnly: true });`
			`}`

			`var token;`

			`req.csrfToken = function csrfToken() {`
			`if (token) {`
			`return token;`
			`}`

			`token = tokens.create(secret);`
			`return token;`
			`};`

			`next();`
			`};`

			`exports.verify = function csrfVerify(req) {`
			`var secret = req.signedCookies._csrf;`
			`var token = req.body._csrf \|\| req.query._csrf;`

			`if (!tokens.verify(secret, token)) {`
			`throw createError(403, 'invalid csrf token', {`
			`code: 'EBADCSRFTOKEN'`
			`});`
			`}`
			`};`