From: konekoneko Date: Thu, 22 Nov 2012 18:27:24 +0000 (+0900) Subject: csrfミドルウェアを使用するようにした X-Git-Url: http://git.osdn.jp/view?a=commitdiff_plain;h=bacedec1d692e640e9ac174b26ac87e50a6d203d;p=webchat%2FWebChat.git csrfミドルウェアを使用するようにした --- diff --git a/chat.js b/chat.js index c8f84e7..234501a 100644 --- a/chat.js +++ b/chat.js @@ -56,7 +56,7 @@ function chat_proc(req, res){ var room_number = 0; if(typeof(req.query.rno) != "undefined") room_number = req.query.rno; - res.render("chat",{rno:room_number,token:info.token}); + res.render("chat",{rno:room_number,token:req.session._csrf}); } function auth_proc(user, pass) { @@ -68,11 +68,6 @@ function log_proc(req, res) { } function admin_postproc(req,res){ - if(req.session.items.token != req.body.token) - { - res.send(resource.invaild_token_message); - return; - } if(typeof(req.body.erase) != "undefined") { removeLog(req.body.file,function(){ @@ -105,7 +100,7 @@ function admin_proc(req,res) files: list, log_directory:$log_directory, ipbanlist:iplist, - token:info.token, + token:req.session._csrf, roomlist:$rooms.GetString() }); }); @@ -493,7 +488,7 @@ function ParseAuthorization(handshakeData, callback) result = "failed get from session store"; else if(err) result = err; - else if(handshakeData.query.token != session.items.token) + else if(handshakeData.query.token != session._csrf) result = "invaild token"; if(typeof(session) != "undefined" && result == null) handshakeData.sessionID = sessionID; diff --git a/main.js b/main.js index cd72b94..dc87c33 100644 --- a/main.js +++ b/main.js @@ -34,6 +34,7 @@ app.configure(function(){ store:sessionStore, cookie: { httpOnly: false } })); + app.use(express.csrf()); app.use(app.router); app.use(express.static(__dirname + "/public")); }); @@ -46,10 +47,10 @@ app.configure("production", function(){ app.use(express.errorHandler()); }); -if(config.enable_profile) - require("./profile")(app); - var server = http.createServer(app).listen(config.port); console.log("Express server listening on port %d in %s mode", config.port, app.settings.env); require("./chat")(app,server,express,sessionStore); + +if(config.enable_profile) + require("./profile")(app); diff --git a/profile.js b/profile.js index 15547b3..d93ed48 100644 --- a/profile.js +++ b/profile.js @@ -31,7 +31,7 @@ function admin_proc(req, res) if(err != null) RenderMessage(res,err,info); else{ - result.token = info.token; + result.token = req.session._csrf; res.setHeader("X-FRAME-OPTIONS","DENY"); res.render("profile/admin",result); } @@ -40,10 +40,6 @@ function admin_proc(req, res) function admin_postproc(req,res) { - if(req.session.items.token != req.body.token){ - RenderMessage(res,resource.invaild_parameter,req.session.items); - return; - } async.waterfall([ function(cb){ if(typeof(req.body.removeall) != "undefined") @@ -132,17 +128,13 @@ function detail_proc(req, res) RenderMessage(res,resource.notfound_name,req.session.items); else{ res.setHeader("X-FRAME-OPTIONS","DENY"); - res.render("profile/detail",{list:result,token:req.session.items.token,admin:req.session.items.admin}); + res.render("profile/detail",{list:result,token:req.session._csrf,admin:req.session.items.admin}); } }); } function detail_postproc(req, res) { - if(req.session.items.token != req.body.token){ - RenderMessage(res,resource.invaild_parameter,req.session.items); - return; - } if(typeof(req.body.remove) != "undefined"){ async.waterfall([ function(cb){ @@ -184,7 +176,7 @@ function detail_postproc(req, res) RenderMessage(res,err,req.session.items); }else if(result != null){ res.setHeader("X-FRAME-OPTIONS","DENY"); - res.render("profile/edit",{list:result,token:req.body.token}); + res.render("profile/edit",{list:result,token:req.session._csrf}); }else{ RenderMessage(res,resource.unmatch_password,req.session.items); } @@ -196,10 +188,6 @@ function detail_postproc(req, res) function edit_postproc(req, res) { - if(req.session.items.token != req.body.token){ - RenderMessage(res,resource.invaild_parameter,req.session.items); - return; - } if(typeof(req.body.name) == "undefined") { RenderMessage(res,resource.invaild_parameter,req.session.items); @@ -225,10 +213,6 @@ function edit_postproc(req, res) function registor_postproc(req, res) { - if(req.session.items.token != req.body.token){ - RenderMessage(res,resource.invaild_parameter,req.session.items); - return; - } if(typeof(req.body.registor) != "undefined"){ async.waterfall([ function(cb){ @@ -251,13 +235,13 @@ function registor_proc(req, res) req.session.items = new security.SessionInfomation(false); res.setHeader("X-FRAME-OPTIONS","DENY"); - res.render("profile/registor",{token:req.session.items.token}); + res.render("profile/registor",{token:req.session._csrf}); } function RenderMessage(res,msg,info) { - if(typeof(info) == "undefined") - res.render("profile/message",{message:msg}); + if(typeof(info) == "undefined" || typeof(info.admin) == "undefined") + res.render("profile/message",{message:msg,admin:false}); else res.render("profile/message",{message:msg,admin:info.admin}); } diff --git a/public/admin.ejs b/public/admin.ejs index 46bc8cd..6b75fb8 100644 --- a/public/admin.ejs +++ b/public/admin.ejs @@ -37,7 +37,7 @@ <% } %> - + @@ -46,7 +46,7 @@

IPBANリスト


- + @@ -55,7 +55,7 @@

ルームリスト


- + diff --git a/public/chat.ejs b/public/chat.ejs index ac6ac66..add32d6 100644 --- a/public/chat.ejs +++ b/public/chat.ejs @@ -88,7 +88,7 @@
- + diff --git a/public/profile/edit.ejs b/public/profile/edit.ejs index cf4a4f0..084eb2c 100644 --- a/public/profile/edit.ejs +++ b/public/profile/edit.ejs @@ -46,7 +46,7 @@ - +
diff --git a/public/profile/registor.ejs b/public/profile/registor.ejs index 23be2df..96ec685 100644 --- a/public/profile/registor.ejs +++ b/public/profile/registor.ejs @@ -43,7 +43,7 @@ - + diff --git a/public/scripts/chatclient.js b/public/scripts/chatclient.js index 4b35312..06406fe 100644 --- a/public/scripts/chatclient.js +++ b/public/scripts/chatclient.js @@ -47,7 +47,7 @@ $(document).ready(function(){ document.chat_form.onsubmit = function(){return false;}; document.enter_form.onsubmit = function(){return false;}; - $socket = io.connect(location.hostname + "/" + document.chat_form.rno.value + "?token="+ encodeURIComponent(document.chat_form.token.value)); + $socket = io.connect(location.hostname + "/" + document.chat_form.rno.value + "?token="+ encodeURIComponent(document.chat_form._csrf.value)); $socket.on("error",getErrorMessage); $socket.on("send roominfo",sendRoomInfoListerner); $socket.on("send romcount",sendRomCountListerner); diff --git a/security.js b/security.js index 5e8ba8a..8e2f03c 100644 --- a/security.js +++ b/security.js @@ -1,15 +1,3 @@ -var $token_length = 32; //トークンの長さ - -module.exports.SessionInfomation = function(admin){ - this.token = GetToken($token_length); +module.exports.SessionInfomation = function(admin){ this.admin = admin; }; - -function GetToken(length){ - var RandomString = ""; - var BaseString ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - for(var i=0; i < length; i++) { - RandomString += BaseString.charAt( Math.floor( Math.random() * BaseString.length)); - } - return RandomString; -};