middleware.js

var errors = require('./lib/errors');
var express = require('express');
var _ = require('underscore');
var clientSessions = require('client-sessions');


var COOKIE_KEY = 'session';

if ('COOKIE_SECRET' in process.env) {
  var COOKIE_SECRET = process.env.COOKIE_SECRET;
} else {
  // TODO - switch this behaviour to be more like that in the backpack,
  // where a token is generated automatically and stored for future use
  // See: https://github.com/mozilla/openbadges/blob/development/middleware.js#L14
  throw new Error('COOKIE_SECRET not set in environment');
}


exports.session = function session () {
  return clientSessions({
    cookieName: COOKIE_KEY,
    secret: COOKIE_SECRET,
    maxAge: (7 * 24 * 60 * 60 * 1000), //one week
    cookie: {
      httpOnly: true
    }
  });
};

function isUserType (type) {
  return function (req, res, next) {
    exports.loggedIn(req, res, function() {
      if (req.session.user.type !== type)
        return res.redirect(req.session.user.home);
      next();
    });
  }
}

exports.isLearner = isUserType('learner');
exports.isGuardian = isUserType('guardian');

exports.isUnderageLearner = function (req, res, next) {
  exports.isLearner(req, res, function() {
    if (req.session.user.underage) 
      return next();
    return next('route');
  });
}

exports.loggedIn = function loggedIn(req, res, next) {
  var user = req.session.user;
  if (!user) {
    req.session.afterLogin = req.originalUrl;
    return res.redirect('/login');
  }
  return next();
};

exports.csrf = function (options) {
  options = options || {};
  var value = options.value || defaultCsrfValue;
  var list = options.whitelist;
  return function (req, res, next) {
    if (whitelisted(list, req.url))
      return next();

    var token = req.session._csrf || (req.session._csrf = uid(24));

    if ('GET' === req.method || 'HEAD' === req.method)
      return next();

    var val = value(req);
    if (val != token) {
      // logger.debug("CSRF token failure");
      return next(errors.Forbidden());
    }
    next();
  };
};

function defaultCsrfValue (req) {
  return (req.body && req.body._csrf)
    || (req.query && req.query._csrf)
    || (req.headers['x-csrf-token']);
}

function whitelisted (list, input) {
  var pattern;

  for (var i = list.length; i--;) {
    pattern = list[i];
    if (RegExp('^' + list[i] + '$').test(input))
      return true;
  }

  return false;
}

function uid (len) {
  var buf = [];
  var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
  var charlen = chars.length;
  for (var i = 0; i < len; ++i) {
    buf.push(chars[getRandomInt(0, charlen - 1)]);
  }
  return buf.join('');
};

function getRandomInt (min, max) {
  return Math.floor(Math.random() * (max - min + 1)) + min;
}