Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF should not be applied to our proxy connections #214

Merged
merged 1 commit into from
Sep 23, 2018
+20 −17
Merged

CSRF should not be applied to our proxy connections #214

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 20 additions & 17 deletions app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,10 +262,27 @@ app.use(session({
app.use(flash());
app.use(passport.initialize());
app.use(passport.session());
//TODO we need to remove this hack, its leftover from long ago.
//we need to know if this is a proxy connection or not (home/remote), other middleware depends on it.
app.use(function (req, res, next) {
var host = req.headers.host;
// console.log(host);
if (!host) {
next(); // No host in header, just go ahead
}
// If host matches names for full /* proxying, go ahead and just proxy it.
if (host.indexOf('remote.') === 0 || host.indexOf('home.') === 0) {
//make sure this was not set by another server
if(req.url.indexOf('/remote') != 0){
req.url = '/remote' + req.url;
}
}
next();
});
app.use(function (req, res, next) {
var csrf = csurf();
// Check if url needs csrf
if (!req.path.match('/rest*') && !req.path.match('/oauth2/token') && !req.path.match('/ifttt/*'))
// Check if url needs csrf, remote connections and REST connections are excluded from CSRF
if (!req.path.match('/rest*') && !req.path.match('/oauth2/token') && !req.path.match('/ifttt/*') && !req.path.match('/remote/*'))
csrf(req, res, next);
else
next();
Expand Down Expand Up @@ -323,21 +340,7 @@ app.use(function (req, res, next) {
res.locals.registration_enabled = system.isUserRegistrationEnabled();
next();
});
app.use(function (req, res, next) {
var host = req.headers.host;
// console.log(host);
if (!host) {
next(); // No host in header, just go ahead
}
// If host matches names for full /* proxying, go ahead and just proxy it.
if (host.indexOf('remote.') === 0 || host.indexOf('home.') === 0) {
//make sure this was not set by another server
if(req.url.indexOf('/remote') != 0){
req.url = '/remote' + req.url;
}
}
next();
});

app.use(serveStatic(path.join(__dirname, 'public')));

var server = app.listen(app.get('port'), function () {
Expand Down