Compare commits
2 Commits
NO_CSRF
...
CSRF_erlau
| Author | SHA1 | Date | |
|---|---|---|---|
| 72ac99ff05 | |||
| 6b75f0c4d0 |
5
.idea/.gitignore
generated
vendored
Normal file
5
.idea/.gitignore
generated
vendored
Normal file
@@ -0,0 +1,5 @@
|
||||
# Default ignored files
|
||||
/shelf/
|
||||
/workspace.xml
|
||||
# Editor-based HTTP Client requests
|
||||
/httpRequests/
|
||||
12
.idea/express-4.x-local-example.iml
generated
Normal file
12
.idea/express-4.x-local-example.iml
generated
Normal file
@@ -0,0 +1,12 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<module type="WEB_MODULE" version="4">
|
||||
<component name="NewModuleRootManager">
|
||||
<content url="file://$MODULE_DIR$">
|
||||
<excludeFolder url="file://$MODULE_DIR$/temp" />
|
||||
<excludeFolder url="file://$MODULE_DIR$/.tmp" />
|
||||
<excludeFolder url="file://$MODULE_DIR$/tmp" />
|
||||
</content>
|
||||
<orderEntry type="inheritedJdk" />
|
||||
<orderEntry type="sourceFolder" forTests="false" />
|
||||
</component>
|
||||
</module>
|
||||
8
.idea/modules.xml
generated
Normal file
8
.idea/modules.xml
generated
Normal file
@@ -0,0 +1,8 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project version="4">
|
||||
<component name="ProjectModuleManager">
|
||||
<modules>
|
||||
<module fileurl="file://$PROJECT_DIR$/.idea/express-4.x-local-example.iml" filepath="$PROJECT_DIR$/.idea/express-4.x-local-example.iml" />
|
||||
</modules>
|
||||
</component>
|
||||
</project>
|
||||
6
.idea/vcs.xml
generated
Normal file
6
.idea/vcs.xml
generated
Normal file
@@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project version="4">
|
||||
<component name="VcsDirectoryMappings">
|
||||
<mapping directory="$PROJECT_DIR$" vcs="Git" />
|
||||
</component>
|
||||
</project>
|
||||
44
.idea/workspace.xml
generated
44
.idea/workspace.xml
generated
@@ -1,44 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project version="4">
|
||||
<component name="ChangeListManager">
|
||||
<list default="true" id="60ecbf83-4bba-4fa7-aaf1-2762f3154f8b" name="Default Changelist" comment="" />
|
||||
<option name="SHOW_DIALOG" value="false" />
|
||||
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
||||
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
|
||||
<option name="LAST_RESOLUTION" value="IGNORE" />
|
||||
</component>
|
||||
<component name="Git.Settings">
|
||||
<option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
|
||||
</component>
|
||||
<component name="ProjectId" id="1sx0rQiSITjAkuVuRgoetALRiBd" />
|
||||
<component name="ProjectViewState">
|
||||
<option name="hideEmptyMiddlePackages" value="true" />
|
||||
<option name="showLibraryContents" value="true" />
|
||||
</component>
|
||||
<component name="PropertiesComponent">
|
||||
<property name="RunOnceActivity.OpenProjectViewOnStart" value="true" />
|
||||
<property name="RunOnceActivity.ShowReadmeOnStart" value="true" />
|
||||
<property name="WebServerToolWindowFactoryState" value="false" />
|
||||
<property name="last_opened_file_path" value="$PROJECT_DIR$" />
|
||||
<property name="nodejs_package_manager_path" value="npm" />
|
||||
<property name="settings.editor.selected.configurable" value="preferences.pluginManager" />
|
||||
<property name="vue.rearranger.settings.migration" value="true" />
|
||||
</component>
|
||||
<component name="SpellCheckerSettings" RuntimeDictionaries="0" Folders="0" CustomDictionaries="0" DefaultDictionary="application-level" UseSingleDictionary="true" transferred="true" />
|
||||
<component name="TaskManager">
|
||||
<task active="true" id="Default" summary="Default task">
|
||||
<changelist id="60ecbf83-4bba-4fa7-aaf1-2762f3154f8b" name="Default Changelist" comment="" />
|
||||
<created>1621799132070</created>
|
||||
<option name="number" value="Default" />
|
||||
<option name="presentableId" value="Default" />
|
||||
<updated>1621799132070</updated>
|
||||
<workItem from="1621799133598" duration="9079000" />
|
||||
<workItem from="1621945982621" duration="1195000" />
|
||||
<workItem from="1622217873429" duration="2448000" />
|
||||
</task>
|
||||
<servers />
|
||||
</component>
|
||||
<component name="TypeScriptGeneratedFilesManager">
|
||||
<option name="version" value="3" />
|
||||
</component>
|
||||
</project>
|
||||
@@ -1,12 +1,12 @@
|
||||
# LoginDemo
|
||||
|
||||
CSRF ist hier blockiert
|
||||
|
||||
Google Auth +
|
||||
Digest +
|
||||
Formular +
|
||||
Session Cookie
|
||||
|
||||
CSRF kann hier durchgeführt werden
|
||||
|
||||
Install Node Modules:
|
||||
```sh
|
||||
npm i
|
||||
|
||||
99
package-lock.json
generated
99
package-lock.json
generated
@@ -5,14 +5,12 @@
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "express-4.x-local-example",
|
||||
"version": "0.0.0",
|
||||
"license": "Unlicense",
|
||||
"dependencies": {
|
||||
"body-parser": "^1.19.0",
|
||||
"connect-ensure-login": "^0.1.1",
|
||||
"cookie-session": "^1.4.0",
|
||||
"csurf": "^1.11.0",
|
||||
"ejs": "^2.6.2",
|
||||
"express": "^4.17.1",
|
||||
"express-session": "^1.16.1",
|
||||
@@ -174,53 +172,6 @@
|
||||
"node": ">= 0.8"
|
||||
}
|
||||
},
|
||||
"node_modules/csrf": {
|
||||
"version": "3.1.0",
|
||||
"resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
|
||||
"integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
|
||||
"dependencies": {
|
||||
"rndm": "1.2.0",
|
||||
"tsscmp": "1.0.6",
|
||||
"uid-safe": "2.1.5"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">= 0.8"
|
||||
}
|
||||
},
|
||||
"node_modules/csurf": {
|
||||
"version": "1.11.0",
|
||||
"resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
|
||||
"integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
|
||||
"dependencies": {
|
||||
"cookie": "0.4.0",
|
||||
"cookie-signature": "1.0.6",
|
||||
"csrf": "3.1.0",
|
||||
"http-errors": "~1.7.3"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">= 0.8.0"
|
||||
}
|
||||
},
|
||||
"node_modules/csurf/node_modules/http-errors": {
|
||||
"version": "1.7.3",
|
||||
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
|
||||
"integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
|
||||
"dependencies": {
|
||||
"depd": "~1.1.2",
|
||||
"inherits": "2.0.4",
|
||||
"setprototypeof": "1.1.1",
|
||||
"statuses": ">= 1.5.0 < 2",
|
||||
"toidentifier": "1.0.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">= 0.6"
|
||||
}
|
||||
},
|
||||
"node_modules/csurf/node_modules/inherits": {
|
||||
"version": "2.0.4",
|
||||
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
|
||||
"integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
|
||||
},
|
||||
"node_modules/debug": {
|
||||
"version": "2.6.9",
|
||||
"resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
|
||||
@@ -744,11 +695,6 @@
|
||||
"node": ">= 0.8"
|
||||
}
|
||||
},
|
||||
"node_modules/rndm": {
|
||||
"version": "1.2.0",
|
||||
"resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
|
||||
"integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w="
|
||||
},
|
||||
"node_modules/safe-buffer": {
|
||||
"version": "5.1.2",
|
||||
"resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
|
||||
@@ -997,46 +943,6 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"csrf": {
|
||||
"version": "3.1.0",
|
||||
"resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
|
||||
"integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
|
||||
"requires": {
|
||||
"rndm": "1.2.0",
|
||||
"tsscmp": "1.0.6",
|
||||
"uid-safe": "2.1.5"
|
||||
}
|
||||
},
|
||||
"csurf": {
|
||||
"version": "1.11.0",
|
||||
"resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
|
||||
"integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
|
||||
"requires": {
|
||||
"cookie": "0.4.0",
|
||||
"cookie-signature": "1.0.6",
|
||||
"csrf": "3.1.0",
|
||||
"http-errors": "~1.7.3"
|
||||
},
|
||||
"dependencies": {
|
||||
"http-errors": {
|
||||
"version": "1.7.3",
|
||||
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
|
||||
"integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
|
||||
"requires": {
|
||||
"depd": "~1.1.2",
|
||||
"inherits": "2.0.4",
|
||||
"setprototypeof": "1.1.1",
|
||||
"statuses": ">= 1.5.0 < 2",
|
||||
"toidentifier": "1.0.0"
|
||||
}
|
||||
},
|
||||
"inherits": {
|
||||
"version": "2.0.4",
|
||||
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
|
||||
"integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
|
||||
}
|
||||
}
|
||||
},
|
||||
"debug": {
|
||||
"version": "2.6.9",
|
||||
"resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
|
||||
@@ -1426,11 +1332,6 @@
|
||||
"unpipe": "1.0.0"
|
||||
}
|
||||
},
|
||||
"rndm": {
|
||||
"version": "1.2.0",
|
||||
"resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
|
||||
"integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w="
|
||||
},
|
||||
"safe-buffer": {
|
||||
"version": "5.1.2",
|
||||
"resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
|
||||
|
||||
@@ -21,7 +21,6 @@
|
||||
"body-parser": "^1.19.0",
|
||||
"connect-ensure-login": "^0.1.1",
|
||||
"cookie-session": "^1.4.0",
|
||||
"csurf": "^1.11.0",
|
||||
"ejs": "^2.6.2",
|
||||
"express": "^4.17.1",
|
||||
"express-session": "^1.16.1",
|
||||
|
||||
21
server.js
21
server.js
@@ -9,13 +9,6 @@ var GoogleStrategy = require('passport-google-oauth').OAuth2Strategy;
|
||||
//Digest
|
||||
var DigestStrategy = require('passport-http').DigestStrategy
|
||||
|
||||
// NO CSRF
|
||||
var bodyParser = require('body-parser')
|
||||
var csrf = require('csurf')
|
||||
var csrfProtection = csrf({ cookie: true })
|
||||
var cookieParser = require('cookie-parser')
|
||||
var parseForm = bodyParser.urlencoded({ extended: false })
|
||||
|
||||
passport.use(new DigestStrategy({ qop: 'auth' },
|
||||
function(username, done) {
|
||||
db.users.findByUsername(username, function (err, user) {
|
||||
@@ -105,12 +98,9 @@ app.set('view engine', 'ejs');
|
||||
// Use application-level middleware for common functionality, including
|
||||
// logging, parsing, and session handling.
|
||||
app.use(require('morgan')('combined'));
|
||||
// app.use(require('body-parser').urlencoded({ extended: true }));
|
||||
app.use(require('body-parser').urlencoded({ extended: true }));
|
||||
app.use(require('express-session')({ secret: 'keyboard cat', resave: false, saveUninitialized: false }));
|
||||
|
||||
// parse cookies
|
||||
// we need this because "cookie" is true in csrfProtection
|
||||
app.use(cookieParser())
|
||||
|
||||
|
||||
// Initialize Passport and restore authentication state, if any, from the
|
||||
@@ -119,20 +109,19 @@ app.use(passport.initialize());
|
||||
app.use(passport.session());
|
||||
|
||||
|
||||
|
||||
// Define routes.
|
||||
app.get('/',
|
||||
function(req, res) {
|
||||
res.render('home', { user: req.user });
|
||||
});
|
||||
|
||||
app.get('/login', csrfProtection,
|
||||
app.get('/login',
|
||||
function(req, res){
|
||||
console.log("CSRF TOKEN")
|
||||
console.log(req.csrfToken())
|
||||
res.render('login', {csrfToken: req.csrfToken()});
|
||||
res.render('login');
|
||||
});
|
||||
|
||||
app.post('/login', parseForm, csrfProtection,
|
||||
app.post('/login',
|
||||
passport.authenticate('local', { failureRedirect: '/login' }),
|
||||
function(req, res) {
|
||||
res.redirect('/');
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
<form action="/login" method="post">
|
||||
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
|
||||
<div>
|
||||
<label>Username:</label>
|
||||
<input type="text" name="username"/><br/>
|
||||
|
||||
Reference in New Issue
Block a user