csrfミドルウェアを使用するようにした

[webchat/WebChat.git] / chat.js

diff --git a/chat.js b/chat.js
index c8f84e7..234501a 100644 (file)
--- a/chat.js
+++ b/chat.js
@@ -56,7 +56,7 @@ function chat_proc(req, res){
        var room_number = 0;\r
        if(typeof(req.query.rno) != "undefined")\r
                room_number = req.query.rno;\r
-       res.render("chat",{rno:room_number,token:info.token});\r
+       res.render("chat",{rno:room_number,token:req.session._csrf});\r
 }\r
 \r
 function auth_proc(user, pass) {\r
@@ -68,11 +68,6 @@ function log_proc(req, res) {
 }\r
 \r
 function admin_postproc(req,res){\r
-       if(req.session.items.token != req.body.token)\r
-       {\r
-               res.send(resource.invaild_token_message);\r
-               return;\r
-       }\r
        if(typeof(req.body.erase) != "undefined")\r
        {\r
                removeLog(req.body.file,function(){\r
@@ -105,7 +100,7 @@ function admin_proc(req,res)
                        files: list,\r
                        log_directory:$log_directory,\r
                        ipbanlist:iplist,\r
-                       token:info.token,\r
+                       token:req.session._csrf,\r
                        roomlist:$rooms.GetString()\r
                });\r
        });\r
@@ -493,7 +488,7 @@ function ParseAuthorization(handshakeData, callback)
                                result = "failed get from session store";\r
                        else if(err)\r
                                result = err;\r
-                       else if(handshakeData.query.token != session.items.token)\r
+                       else if(handshakeData.query.token != session._csrf)\r
                                result = "invaild token";\r
                        if(typeof(session) != "undefined" && result == null)\r
                                handshakeData.sessionID = sessionID;\r