How to use lusca - 10 common examples
To help you get started, we’ve selected a few lusca examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
qawemlilo / nodeza / lib / middleware.js View on Github 
"use strict";
const _ = require('lodash');
const csrf = require('lusca').csrf();
module.exports.returnTo = function() {
return function (req, res, next) {
// Keep track of previous URL to redirect back to
// original destination after a successful login.
if (req.method !== 'GET') {
return next();
}
let path = req.path.split('/')[1];
if (/(auth|login|logout|signup)$/i.test(path)) {
return next();
}luscaCsp = lusca.csp(config.security.csp);
obj.server.use(luscaCsp).blacklist(luscaCsp);
}
if (!isEmpty(config.security.xframe || "")) {
luscaXframe = lusca.xframe(config.security.xframe);
obj.server.use(luscaXframe).blacklist(luscaXframe);
}
if (!isEmpty(config.security.p3p || "")) {
luscaP3p = lusca.p3p(config.security.p3p);
obj.server.use(luscaP3p).blacklist(luscaP3p);
}
if (config.security.hsts instanceof Object) {
luscaHsts = lusca.hsts(config.security.hsts);
obj.server.use(luscaHsts).blacklist(luscaHsts);
}
if (config.security.xssProtection instanceof Object) {
luscaXssProtection = lusca.xssProtection(config.security.xssProtection);
obj.server.use(luscaXssProtection).blacklist(luscaXssProtection);
}
// Can fork to `middleware.keymaster()`
obj.server.use(middleware.zuul).blacklist(middleware.zuul);
if (stateless && !stateful) {
init(false);
} else {
init(true);app.use((req, res, next) => {
if (
// req.path === '/api/v1' ||
req.path === '/api' ||
RegExp('/api/.*').test(req.path) ||
process.env.NODE_ENV === 'test'
) {
// Multer multipart/form-data handling needs to occur before the Lusca CSRF check.
// eslint-disable-next-line no-underscore-dangle
res.locals._csrf = '';
next();
} else {
lusca.referrerPolicy('same-origin');
lusca.csrf()(req, res, next);
}
});
/**luscaXframe = lusca.xframe(config.security.xframe);
obj.always(luscaXframe).blacklist(luscaXframe);
}
if (isEmpty(config.security.p3p || "") === false) {
luscaP3p = lusca.p3p(config.security.p3p);
obj.always(luscaP3p).blacklist(luscaP3p);
}
if (config.security.hsts instanceof Object) {
luscaHsts = lusca.hsts(config.security.hsts);
obj.always(luscaHsts).blacklist(luscaHsts);
}
if (config.security.xssProtection) {
luscaXssProtection = lusca.xssProtection(config.security.xssProtection);
obj.always(luscaXssProtection).blacklist(luscaXssProtection);
}
if (config.security.nosniff) {
luscaNoSniff = lusca.nosniff();
obj.always(luscaNoSniff).blacklist(luscaNoSniff);
}
// Can fork to `middleware.keymaster()`
obj.always(middleware.zuul).blacklist(middleware.zuul);
passportInit = passport.initialize();
obj.always(passportInit).blacklist(passportInit);
if (stateless === false) {
passportSession = passport.session();// does not contains the api substring
_express.use((req, res, next) => {
const apiPrefix = Locals.config().apiPrefix;
if (req.originalUrl.includes(`/${apiPrefix}/`)) {
next();
} else {
lusca.csrf()(req, res, next);
}
});
// Enables x-frame-options headers
_express.use(lusca.xframe('SAMEORIGIN'));
// Enables xss-protection headers
_express.use(lusca.xssProtection(true));
_express.use((req, res, next) => {
// After successful login, redirect back to the intended page
if (!req.user
&& req.path !== '/login'
&& req.path !== '/signup'
&& !req.path.match(/^\/auth/)
&& !req.path.match(/\./)) {
req.session.returnTo = req.originalUrl;
} else if (req.user
&& (req.path === '/account' || req.path.match(/^\/api/))) {
req.session.returnTo = req.originalUrl;
}
next();
});}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
// security
app.disable('x-powered-by');
app.use(function enableCSRF(req, res, next) {
if (req.path === '/events') {
next();
} else {
lusca.csrf()(req, res, next);
}
});
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
// user
app.use(function addUserToLocals(req, res, next) {
res.locals.user = req.user;
next();
});
app.use(function redirectUser(req, res, next) {
// After successful login, redirect back to the intended page
if (!req.user && !req.path.match(/^\/auth/) && !req.path.match(/\./)) {
req.session.returnTo = req.path;
} else if (req.user && req.path === '/account') {
req.session.returnTo = req.path;
}
next();
});const html = md.render(str);
fn(null, html);
} catch (err) {
fn(err);
}
});
})
.set('view engine', 'html')
.set('views', `${__dirname}/public`)
.use(session(config.get('session')))
.use(setCsrfHeader)
.disable('x-powered-by') // Do not advertise Express
// .use(lusca.csrf()) // Cross Site Request Forgery
// .use(lusca.csp({policy: config.csp})) // Content Security Policy
.use(lusca.hsts({maxAge: 31536000}))
.use(lusca.xssProtection(true))
.use(helmet.noSniff())
.use(helmet.ieNoOpen())
.use(helmet.referrerPolicy({policy: 'no-referrer'}))
.use(compress()) // Use gzip compression
.use(express.static(__dirname)); // Serve static files
app.get('/', verifyCsrfHeader, (req, res) => {
res.render('index', {
message: 'The server is functioning properly!'
});
});
app.get('/:page.md', verifyCsrfHeader, (req, res) => {
const {page} = req.params;
res.render(`${page}.md`);
});
module.exports = app;app.use(bodyParser.urlencoded({ extended: true }));
app.use(expressValidator());
app.use(session({
resave: true,
saveUninitialized: true,
secret: process.env.SESSION_SECRET,
store: new MongoStore({
url: process.env.MONGODB_URI || process.env.MONGOLAB_URI,
autoReconnect: true
})
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
app.use(lusca.xframe("SAMEORIGIN"));
app.use(lusca.xssProtection(true));
app.use((req, res, next) => {
res.locals.user = req.user;
next();
});
app.use((req, res, next) => {
// After successful login, redirect back to the intended page
if (!req.user &&
req.path !== "/login" &&
req.path !== "/signup" &&
!req.path.match(/^\/auth/) &&
!req.path.match(/\./)) {
req.session.returnTo = req.path;
} else if (req.user &&
req.path == "/account") {
req.session.returnTo = req.path;
}// Create Express server
const app = express();
// Express configuration
app.set('port', process.env.PORT || 3000);
app.use(compression());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: true}));
app.use(expressValidator());
app.use(expressSession({
cookie: {maxAge: 60000},
secret: 'null'
}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
next();
});
app.use(
express.static(path.join(__dirname, 'public'), {maxAge: 31557600000})
);
/**
* API examples routes.
*/
app.get('/api', apiController.getApi);url: process.env.MONGODB_URI || process.env.MONGOLAB_URI,
autoReconnect: true,
clear_interval: 3600
})
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
app.use((req, res, next) => {
if (req.path === '/api/upload') {
next();
} else {
lusca.csrf()(req, res, next);
}
});
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use((req, res, next) => {
res.locals.user = req.user;
next();
});
app.use((req, res, next) => {
// After successful login, redirect back to the intended page
if (!req.user &&
req.path !== '/login' &&
req.path !== '/signup' &&
!req.path.match(/^\/auth/) &&
!req.path.match(/\./)) {
req.session.returnTo = req.path;
} else if (req.user &&
req.path === '/account') {
req.session.returnTo = req.path;
