ログイン機能を実装しています。CSRF対策として app.use express.csrf() を設定。app.dynamicHelpers に req.session._csrf を返すようにして、Viewでtokenを出力するプログラム。
何故か req.session._csrf に undefined が。。。CoffeeKupのテンプレートが悪いのかと思ったが、Jadeでも同じ。
StackOverFlow - How do I generate CSRF tokens in Express?
npm lsでのパッケージ構成
├── bcrypt@0.5.0 extraneous ├─┬ coffeekup@0.3.1 │ └── coffee-script@1.2.0 ├─┬ express@2.5.5 │ ├─┬ connect@1.8.5 │ │ └── formidable@1.0.9 │ ├── mime@1.2.5 │ ├── mkdirp@0.0.7 │ └── qs@0.4.2 ├─┬ js2coffee@0.1.3 │ ├── coffee-script@1.2.0 │ └── underscore@1.3.1 ├─┬ mongoose@2.5.9 extraneous │ ├── hooks@0.1.9 │ └── mongodb@0.9.7-3-5 └── mongoose-types@1.0.3 extraneous
app.coffee
fs = require('fs')
express = require("express")
routes = require("./routes")
mongoose = require('mongoose')
app = module.exports = express.createServer
key:fs.readFileSync 'key.pem'
cert:fs.readFileSync 'cert.pem'
app.configure ->
app.register ".coffee", require("coffeekup").adapters.express
app.set "views", __dirname + "/views"
app.set "view engine", "coffee"
app.use express.cookieParser()
app.use express.session
secret: "your secret here"
secure: true
app.use express.bodyParser()
app.use express.query()
app.use express.methodOverride()
app.use app.router
app.use express.static(__dirname + "/public")
app.use express.csrf()
app.dynamicHelpers token:(req, res) ->
console.log req.session._csrf # undefined!
return req.session._csrf
app.configure "development", ->
mongoose.connect 'mongodb://localhost/sample'
app.use express.errorHandler(
dumpExceptions: true
showStack: true
)
app.configure "production", ->
mongoose.connect 'mongodb://localhost/sample'
app.use express.errorHandler()
app.get "/", routes.index
app.get "/login", routes.login
app.post "/login", routes.authenticate
app.get "/secret", routes.secret
app.get "/signup", routes.signup
app.post "/signup", routes.regist
app.get "/logout", routes.logout
app.listen 3000
console.log "Express server listening on port %d in %s mode", app.address().port, app.settings.env
CSRF対策できないと、使えんぞ。。。自分で実装するしかないか。
0 件のコメント:
コメントを投稿