mirror of
https://github.com/tornadocash/trusted-setup-server.git
synced 2024-11-22 01:46:52 +01:00
csrf protection; validation middleware; morgan removing
This commit is contained in:
parent
d580a5e6fa
commit
c12fde401d
@ -22,7 +22,6 @@
|
||||
"dotenv": "^8.2.0",
|
||||
"express": "^4.16.4",
|
||||
"express-session": "^1.17.0",
|
||||
"morgan": "^1.9.1",
|
||||
"multer": "^1.4.2",
|
||||
"mysql2": "^2.1.0",
|
||||
"nuxt": "^2.0.0",
|
||||
|
@ -1,7 +1,8 @@
|
||||
/* eslint-disable no-console */
|
||||
const crypto = require('crypto')
|
||||
const express = require('express')
|
||||
const router = express.Router()
|
||||
const oauth = require('oauth')
|
||||
const logger = require('morgan')
|
||||
|
||||
const {
|
||||
TWITTER_CONSUMER_KEY,
|
||||
@ -33,18 +34,26 @@ const github = new oauth.OAuth2(
|
||||
'login/oauth/access_token'
|
||||
)
|
||||
|
||||
router.get('/connect/:provider', (req, res) => {
|
||||
function validateProvider(req, res, next) {
|
||||
const { provider } = req.params
|
||||
if (!providers.includes(provider)) {
|
||||
res.status(404).send('Wrong provider')
|
||||
} else {
|
||||
next()
|
||||
}
|
||||
}
|
||||
|
||||
router.get('/connect/:provider', validateProvider, (req, res) => {
|
||||
const { provider } = req.params
|
||||
|
||||
if (provider === 'github') {
|
||||
const CSRFToken = crypto.randomBytes(32).toString('hex')
|
||||
const authorizeUrl = github.getAuthorizeUrl({
|
||||
redirect_uri: GITHUB_CALLBACK_URL,
|
||||
scope: [], // 'gist' - https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
|
||||
state: 'some random string to protect against cross-site request forgery attacks'
|
||||
state: CSRFToken
|
||||
})
|
||||
req.session.CSRFToken = CSRFToken
|
||||
res.redirect(authorizeUrl)
|
||||
} else if (provider === 'twitter') {
|
||||
twitter.getOAuthRequestToken(function(error, oauthToken, oauthTokenSecret) {
|
||||
@ -61,21 +70,18 @@ router.get('/connect/:provider', (req, res) => {
|
||||
}
|
||||
})
|
||||
|
||||
router.get('/oauth_callback/:provider', (req, res) => {
|
||||
router.get('/oauth_callback/:provider', validateProvider, (req, res) => {
|
||||
const { provider } = req.params
|
||||
if (!providers.includes(provider)) {
|
||||
res.status(404).send('Wrong provider')
|
||||
}
|
||||
|
||||
if (provider === 'github') {
|
||||
github.getOAuthAccessToken(req.query.code, {}, function(
|
||||
error,
|
||||
accessToken,
|
||||
refreshToken,
|
||||
results
|
||||
) {
|
||||
const { code, state } = req.query
|
||||
if (state !== req.session.CSRFToken) {
|
||||
res.status(404).send('Malformed request')
|
||||
return
|
||||
}
|
||||
github.getOAuthAccessToken(code, {}, function(error, accessToken, refreshToken, results) {
|
||||
if (error || results.error) {
|
||||
logger.error('getOAuthAccessToken error', error || results.error)
|
||||
console.error('getOAuthAccessToken error', error || results.error)
|
||||
res.status(500).send(error || results.error)
|
||||
} else {
|
||||
req.session.refreshToken = refreshToken
|
||||
@ -90,7 +96,7 @@ router.get('/oauth_callback/:provider', (req, res) => {
|
||||
req.query.oauth_verifier,
|
||||
(error, oauthAccessToken, oauthAccessTokenSecret) => {
|
||||
if (error) {
|
||||
logger.error(error)
|
||||
console.error('getOAuthAccessToken error', error)
|
||||
res.status(500).send(error)
|
||||
} else {
|
||||
req.session.oauthAccessToken = oauthAccessToken
|
||||
|
@ -1,10 +1,8 @@
|
||||
const path = require('path')
|
||||
const { NODE_ENV } = process.env
|
||||
require('dotenv').config({ path: path.join(__dirname, `../.env.${NODE_ENV}`) })
|
||||
const fs = require('fs')
|
||||
const express = require('express')
|
||||
const bodyParser = require('body-parser')
|
||||
const morgan = require('morgan')
|
||||
const session = require('express-session')
|
||||
const { Nuxt, Builder } = require('nuxt')
|
||||
const config = require('../nuxt.config.js')
|
||||
@ -46,11 +44,6 @@ async function start() {
|
||||
app.use(bodyParser.urlencoded({ extended: true }))
|
||||
app.use(bodyParser.json())
|
||||
|
||||
const accessLogStream = fs.createWriteStream(path.join(__dirname, 'access.log'), {
|
||||
flags: 'a'
|
||||
})
|
||||
app.use(morgan('combined', { stream: accessLogStream }))
|
||||
|
||||
// Give nuxt middleware to express
|
||||
app.use(nuxt.render)
|
||||
|
||||
|
20
yarn.lock
20
yarn.lock
@ -1755,13 +1755,6 @@ base@^0.11.1:
|
||||
mixin-deep "^1.2.0"
|
||||
pascalcase "^0.1.1"
|
||||
|
||||
basic-auth@~2.0.0:
|
||||
version "2.0.1"
|
||||
resolved "https://registry.yarnpkg.com/basic-auth/-/basic-auth-2.0.1.tgz#b998279bf47ce38344b4f3cf916d4679bbf51e3a"
|
||||
integrity sha512-NF+epuEdnUYVlGuhaxbbq+dvJttwLnGY+YixlXlME5KpQ5W3CnXA5cVTneY3SPbPDRkcjMbifrwmFYcClgOZeg==
|
||||
dependencies:
|
||||
safe-buffer "5.1.2"
|
||||
|
||||
bcrypt-pbkdf@^1.0.0:
|
||||
version "1.0.2"
|
||||
resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz#a4301d389b6a43f9b67ff3ca11a3f6637e360e9e"
|
||||
@ -5811,17 +5804,6 @@ moment-timezone@^0.5.21:
|
||||
resolved "https://registry.yarnpkg.com/moment/-/moment-2.24.0.tgz#0d055d53f5052aa653c9f6eb68bb5d12bf5c2b5b"
|
||||
integrity sha512-bV7f+6l2QigeBBZSM/6yTNq4P2fNpSWj/0e7jQcy87A8e7o2nAfP/34/2ky5Vw4B9S446EtIhodAzkFCcR4dQg==
|
||||
|
||||
morgan@^1.9.1:
|
||||
version "1.9.1"
|
||||
resolved "https://registry.yarnpkg.com/morgan/-/morgan-1.9.1.tgz#0a8d16734a1d9afbc824b99df87e738e58e2da59"
|
||||
integrity sha512-HQStPIV4y3afTiCYVxirakhlCfGkI161c76kKFca7Fk1JusM//Qeo1ej2XaMniiNeaZklMVrh3vTtIzpzwbpmA==
|
||||
dependencies:
|
||||
basic-auth "~2.0.0"
|
||||
debug "2.6.9"
|
||||
depd "~1.1.2"
|
||||
on-finished "~2.3.0"
|
||||
on-headers "~1.0.1"
|
||||
|
||||
move-concurrently@^1.0.1:
|
||||
version "1.0.1"
|
||||
resolved "https://registry.yarnpkg.com/move-concurrently/-/move-concurrently-1.0.1.tgz#be2c005fda32e0b29af1f05d7c4b33214c701f92"
|
||||
@ -6317,7 +6299,7 @@ on-finished@^2.3.0, on-finished@~2.3.0:
|
||||
dependencies:
|
||||
ee-first "1.1.1"
|
||||
|
||||
on-headers@^1.0.2, on-headers@~1.0.1, on-headers@~1.0.2:
|
||||
on-headers@^1.0.2, on-headers@~1.0.2:
|
||||
version "1.0.2"
|
||||
resolved "https://registry.yarnpkg.com/on-headers/-/on-headers-1.0.2.tgz#772b0ae6aaa525c399e489adfad90c403eb3c28f"
|
||||
integrity sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==
|
||||
|
Loading…
Reference in New Issue
Block a user