How to use the lusca.csrf function in lusca
To help you get started, we’ve selected a few lusca examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
qawemlilo / nodeza / lib / middleware.js View on Github 
"use strict";
const _ = require('lodash');
const csrf = require('lusca').csrf();
module.exports.returnTo = function() {
return function (req, res, next) {
// Keep track of previous URL to redirect back to
// original destination after a successful login.
if (req.method !== 'GET') {
return next();
}
let path = req.path.split('/')[1];
if (/(auth|login|logout|signup)$/i.test(path)) {
return next();
}/**
* Add routes for authentication
*
* Also sets up dependencies for authentication:
* - Adds sessions support to Express (with HTTP only cookies for security)
* - Configures session store (defaults to a flat file store in /tmp/sessions)
* - Adds protection for Cross Site Request Forgery attacks to all POST requests
*
* Normally some of this logic might be elsewhere (like express.js) but for the
* purposes of this example all server logic related to authentication is here.
*/
'use strict'
const bodyParser = require('body-parser')
const nodemailer = require('nodemailer')
const csrf = require('lusca').csrf()
const uuid = require('uuid/v4')
const passportStrategies = require('./passport-strategies')
exports.configure = ({
// Next.js App
nextApp = null,
// Express Server
expressApp = null,
// MongoDB connection to the user database
userdb = null,
// URL base path for authentication routes
path = '/auth',
// Express Session Handler
session = require('express-session'),
// Secret used to encrypt session data on the server
secret = 'change-me',resave: sessionResave,
rolling: sessionRolling,
saveUninitialized: sessionSaveUninitialized,
cookie: {
httpOnly: true,
secure: 'auto',
maxAge: sessionMaxAge
}
}))
if (csrf === true) {
// If csrf is true (default) apply to all routes
expressApp.use(lusca.csrf())
} else if (csrf !== false) {
// If csrf is anything else (except false) then pass it as a config option
expressApp.use(lusca.csrf(csrf))
} // if csrf is explicitly set to false then doesn't apply CSRF at all
if (trustProxy === true) {
expressApp.set('trust proxy', 1)
}
/*
* With sessions configured we need to configure Passport and trigger
* passport.initialize() before we add any other routes.
*/
passportStrategies({
expressApp: expressApp,
serverUrl: serverUrl,
providers: providers,
functions: functions
})/**
* inkrato community edition
* Iain Collins
*/
var express = require('express'),
cookieParser = require('cookie-parser'),
compress = require('compression'),
session = require('express-session'),
bodyParser = require('body-parser'),
logger = require('morgan'),
csrf = require('lusca').csrf(),
methodOverride = require('method-override'),
_ = require('lodash'),
MongoStore = require('connect-mongo')({ session: session }),
flash = require('express-flash'),
path = require('path'),
mongoose = require('mongoose'),
passport = require('passport'),
expressValidator = require('express-validator'),
connectAssets = require('connect-assets'),
ejs = require('ejs'),
partials = require('express-partials'),
i18n = require("i18n"),
Site = require('./models/Site'),
Topic = require('./models/Topic'),
Forum = require('./models/Forum'),
linkify = require("html-linkify"),resave: true
};
if (config.session.store === "redis") {
sesh.store = new RedisStore(config.session.redis);
}
fnCookie = cookie();
fnSesh = session(sesh);
obj.server.use(fnSesh).blacklist(fnSesh);
obj.server.use(fnCookie).blacklist(fnCookie);
obj.server.use(bypass).blacklist(bypass);
if (config.security.csrf) {
luscaCsrf = lusca.csrf({key: config.security.key, secret: config.security.secret});
obj.server.use(csrfWrapper).blacklist(csrfWrapper);
}
}
if (config.security.csp instanceof Object) {
luscaCsp = lusca.csp(config.security.csp);
obj.server.use(luscaCsp).blacklist(luscaCsp);
}
if (!string.isEmpty(config.security.xframe || "")) {
luscaXframe = lusca.xframe(config.security.xframe);
obj.server.use(luscaXframe).blacklist(luscaXframe);
}
if (!string.isEmpty(config.security.p3p || "")) {
luscaP3p = lusca.p3p(config.security.p3p);/**
* Module dependencies.
*/
var express = require('express');
var cookieParser = require('cookie-parser');
var compress = require('compression');
var session = require('express-session');
var bodyParser = require('body-parser');
var logger = require('morgan');
var errorHandler = require('errorhandler');
var csrf = require('lusca').csrf();
var methodOverride = require('method-override');
var _ = require('lodash');
var MongoStore = require('connect-mongo')(session);
var flash = require('express-flash');
var path = require('path');
var mongoose = require('mongoose');
var passport = require('passport');
var expressValidator = require('express-validator');
var connectAssets = require('connect-assets');
/**
* Controllers (route handlers).
*/
var homeController = require('./controllers/home');"use strict";
var morgan = require('morgan');
var path = require('path');
var responseTime = require('response-time');
var methodOverride = require('method-override');
var multer = require('multer');
var compression = require('compression');
var favicon = require('serve-favicon');
var bodyParser = require('body-parser');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var csrf = require('lusca').csrf();
var MongoStore = require('connect-mongo')({ session: session });
var errorHandler = require('errorhandler');
var expressValidator = require('express-validator');
var env = process.env.NODE_ENV || 'development';
var views_helpers = require('../helper/views-helper');
var pkg = require('../../package.json');
var flash = require('express-flash');
var routes = require('../routes');
var _ = require('lodash');
module.exports = function (app, express, passport) {
var allowCrossDomain = function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header('Access-Control-Allow-Credentials', true)
res.header("Access-Control-Allow-Headers", "X-Requested-With");"use strict";
const csrf = require('lusca').csrf();
module.exports.csrf = function(opts) {
return function(req, res, next) {
if (opts.whitelist.indexOf(req.path) > -1) {
return next();
}
csrf(req, res, next);
};
};})
fn(null, html);
} catch (err) {
fn(err);
}
});
})
.set('views', __dirname + '/markdown')
.set('view engine', 'md')
.use(session(config.get('session')))
.use(function (req, res, next) {
res.set('X-CSRF', config.get('session').secret);
return next();
})
.disable('x-powered-by') /** Do not advertise Express **/
.use(lusca.csrf()) /** Cross Site Request Forgery **/
.use(lusca.csp({policy: config.csp})) /** Content Security Policy **/
.use(lusca.xframe('SAMEORIGIN')) /** Helps prevent Clickjacking **/
.use(lusca.hsts({ maxAge: 31536000 }))
.use(lusca.xssProtection(true))
.use(helmet.noSniff())
.use(helmet.ieNoOpen())
.use(helmet.publicKeyPins({
maxAge: NINETY_DAYS_IN_MILLISECONDS,
sha256s: ['base64==', 'base64=='], /** Needs to be changed **/
includeSubdomains: true
}))
.use(compress()) /** Use gzip compression **/
.use(express.static(__dirname)); /** Serve static files **/
app.get('/', function(req, res) {
if (res.get('X-CSRF') === config.get('session').secret) {
res.redirect('/client');sesh = Object.assign({secret: uuid()}, configSession);
if (config.session.store === "redis") {
const client = redis.createClient(clone(config.session.redis));
sesh.store = new RedisStore({client});
}
fnCookie = cookie();
fnSession = session(sesh);
obj.always(fnSession).blacklist(fnSession);
obj.always(fnCookie).blacklist(fnCookie);
obj.always(middleware.bypass).blacklist(middleware.bypass);
if (config.security.csrf) {
luscaCsrf = lusca.csrf({key: config.security.key, secret: config.security.secret});
obj.always(csrfWrapper).blacklist(csrfWrapper);
}
}
if (config.security.csp instanceof Object) {
luscaCsp = lusca.csp(config.security.csp);
obj.always(luscaCsp).blacklist(luscaCsp);
}
if (isEmpty(config.security.xframe || "") === false) {
luscaXframe = lusca.xframe(config.security.xframe);
obj.always(luscaXframe).blacklist(luscaXframe);
}
if (isEmpty(config.security.p3p || "") === false) {
luscaP3p = lusca.p3p(config.security.p3p);
