mirror of https://github.com/status-im/codimd.git
feat: implement CSRF token in export user data
Signed-off-by: Raccoon <raccoon@hackmd.io>
This commit is contained in:
parent
282fcab4f7
commit
0280a2e6ff
|
@ -16,7 +16,8 @@ exports.showIndex = async (req, res) => {
|
|||
errorMessage: req.flash('error'),
|
||||
privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')),
|
||||
termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')),
|
||||
deleteToken: deleteToken
|
||||
deleteToken: deleteToken,
|
||||
csrfToken: req.csrfToken()
|
||||
}
|
||||
|
||||
if (!isLogin) {
|
||||
|
|
|
@ -17,8 +17,11 @@ const appRouter = Router()
|
|||
|
||||
// register route
|
||||
|
||||
const csurf = require('csurf')
|
||||
const csurfMiddleware = csurf({ cookie: true })
|
||||
|
||||
// get index
|
||||
appRouter.get('/', wrap(indexController.showIndex))
|
||||
appRouter.get('/', csurfMiddleware, wrap(indexController.showIndex))
|
||||
|
||||
// ----- error page -----
|
||||
// get 403 forbidden
|
||||
|
@ -52,7 +55,7 @@ appRouter.get('/me', wrap(userController.getMe))
|
|||
appRouter.get('/me/delete/:token?', wrap(userController.deleteUser))
|
||||
|
||||
// export the data of the authenticated user
|
||||
appRouter.get('/me/export', userController.exportMyData)
|
||||
appRouter.post('/me/export', urlencodedParser, csurfMiddleware, userController.exportMyData)
|
||||
|
||||
appRouter.get('/user/:username/avatar.svg', userController.getMyAvatar)
|
||||
|
||||
|
|
|
@ -4323,6 +4323,16 @@
|
|||
"resolved": "https://registry.npmjs.org/csextends/-/csextends-1.2.0.tgz",
|
||||
"integrity": "sha512-S/8k1bDTJIwuGgQYmsRoE+8P+ohV32WhQ0l4zqrc0XDdxOhjQQD7/wTZwCzoZX53jSX3V/qwjT+OkPTxWQcmjg=="
|
||||
},
|
||||
"csrf": {
|
||||
"version": "3.1.0",
|
||||
"resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
|
||||
"integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
|
||||
"requires": {
|
||||
"rndm": "1.2.0",
|
||||
"tsscmp": "1.0.6",
|
||||
"uid-safe": "2.1.5"
|
||||
}
|
||||
},
|
||||
"css-b64-images": {
|
||||
"version": "0.2.5",
|
||||
"resolved": "https://registry.npmjs.org/css-b64-images/-/css-b64-images-0.2.5.tgz",
|
||||
|
@ -4608,6 +4618,31 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"csurf": {
|
||||
"version": "1.11.0",
|
||||
"resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
|
||||
"integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
|
||||
"requires": {
|
||||
"cookie": "0.4.0",
|
||||
"cookie-signature": "1.0.6",
|
||||
"csrf": "3.1.0",
|
||||
"http-errors": "~1.7.3"
|
||||
},
|
||||
"dependencies": {
|
||||
"http-errors": {
|
||||
"version": "1.7.3",
|
||||
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
|
||||
"integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
|
||||
"requires": {
|
||||
"depd": "~1.1.2",
|
||||
"inherits": "2.0.4",
|
||||
"setprototypeof": "1.1.1",
|
||||
"statuses": ">= 1.5.0 < 2",
|
||||
"toidentifier": "1.0.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"cyclist": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/cyclist/-/cyclist-1.0.1.tgz",
|
||||
|
@ -14155,6 +14190,11 @@
|
|||
"inherits": "^2.0.1"
|
||||
}
|
||||
},
|
||||
"rndm": {
|
||||
"version": "1.2.0",
|
||||
"resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
|
||||
"integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w="
|
||||
},
|
||||
"run-async": {
|
||||
"version": "2.3.0",
|
||||
"resolved": "https://registry.npmjs.org/run-async/-/run-async-2.3.0.tgz",
|
||||
|
@ -15858,6 +15898,11 @@
|
|||
"resolved": "https://registry.npmjs.org/tslib/-/tslib-1.10.0.tgz",
|
||||
"integrity": "sha512-qOebF53frne81cf0S9B41ByenJ3/IuH8yJKngAX35CmiZySA0khhkovshKK+jGCaMnVomla7gVlIcc3EvKPbTQ=="
|
||||
},
|
||||
"tsscmp": {
|
||||
"version": "1.0.6",
|
||||
"resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
|
||||
"integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA=="
|
||||
},
|
||||
"tty-browserify": {
|
||||
"version": "0.0.0",
|
||||
"resolved": "https://registry.npmjs.org/tty-browserify/-/tty-browserify-0.0.0.tgz",
|
||||
|
|
|
@ -49,6 +49,7 @@
|
|||
"connect-session-sequelize": "~6.0.0",
|
||||
"cookie": "~0.4.0",
|
||||
"cookie-parser": "~1.4.4",
|
||||
"csurf": "~1.11.0",
|
||||
"deep-freeze": "~0.0.1",
|
||||
"ejs": "~2.6.2",
|
||||
"express": "~4.17.1",
|
||||
|
|
|
@ -428,3 +428,7 @@ $('.ui-use-tags').on('change', function () {
|
|||
$('.search').keyup(() => {
|
||||
checkHistoryList()
|
||||
})
|
||||
|
||||
$(".ui-export-user-data").click(function (e) {
|
||||
document.exportNoteData.submit()
|
||||
})
|
||||
|
|
|
@ -19,6 +19,9 @@
|
|||
<button class="btn btn-sm btn-success ui-signin" data-toggle="modal" data-target=".signin-modal"><%= __('Sign In') %></button>
|
||||
<% } %>
|
||||
</div>
|
||||
<form name="exportNoteData" action="<%- serverURL %>/me/export" method="post">
|
||||
<input type="hidden" name="_csrf" value="<%- csrfToken %>">
|
||||
</form>
|
||||
<div class="ui-signout" style="float: right; margin-top: 8px;<% if(!signin) { %> display: none;<% } %>">
|
||||
<a type="button" href="<%- serverURL %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New note') %></a>
|
||||
<span class="ui-profile dropdown pull-right">
|
||||
|
@ -27,7 +30,7 @@
|
|||
</button>
|
||||
<ul class="dropdown-menu" aria-labelledby="profileLabel">
|
||||
<li><a href="<%- serverURL %>/features"><i class="fa fa-dot-circle-o fa-fw"></i> <%= __('Features') %></a></li>
|
||||
<li><a href="<%- serverURL %>/me/export"><i class="fa fa-cloud-download fa-fw"></i> <%= __('Export user data') %></a></li>
|
||||
<li><a href="#" class="ui-export-user-data"><i class="fa fa-cloud-download fa-fw"></i> <%= __('Export user data') %></a></li>
|
||||
<li><a class="ui-delete-user" data-toggle="modal" data-target=".delete-user-modal"><i class="fa fa-trash fa-fw"></i> <%= __('Delete user') %></a></li>
|
||||
<li><a href="<%- serverURL %>/logout"><i class="fa fa-sign-out fa-fw"></i> <%= __('Sign Out') %></a></li>
|
||||
</ul>
|
||||
|
|
Loading…
Reference in New Issue