add csrf support, close #17

app.js

@@ -44,6 +44,9 @@ app.use(passport.session());
 var flash = require('connect-flash');
 app.use(flash());
 
+var csrf = require('csurf');
+app.use(csrf());
+
 var initPassport = require('./passport/init');
 initPassport(passport);
 
@@ -63,11 +66,18 @@ app.use(function(req, res, next) {
 // will print stacktrace
 if (app.get('env') === 'development') {
     app.use(function(err, req, res, next) {
-        res.status(err.status || 500);
-        res.render('error', {
-            message: err.message,
-            error: err
-        });
+        if (err.code === 'EBADCSRFTOKEN') {
+            // handle CSRF token errors here
+            res.status(403)
+            res.send('session has expired or form tampered with')
+        }
+        else {
+            res.status(err.status || 500);
+            res.render('error', {
+                message: err.message,
+                error: err
+            });
+        }
     });
 }
 

package.json

@@ -13,6 +13,7 @@
     "connect-flash": "^0.1.1",
     "connect-mongo": "^0.7.0",
     "cookie-parser": "~1.3.3",
+    "csurf": "^1.6.5",
     "debug": "~2.0.0",
     "dotenv": "^0.5.1",
     "express": "~4.9.0",

routes/index.js

@@ -79,7 +79,8 @@ module.exports = function(passport) {
     router.get('/', function(req, res) {
         res.render('index', {
             user: req.user,
-            message: req.flash('message')
+            message: req.flash('message'),
+            csrfToken: req.csrfToken()
         });
     });
 
@@ -90,7 +91,10 @@ module.exports = function(passport) {
     }));
 
     router.get('/signup', function(req, res) {
-        res.render('register', {message: req.flash('message')});
+        res.render('register', { 
+            message: req.flash('message'),
+            csrfToken: req.csrfToken()
+        });
     });
 
     router.post('/signup', passport.authenticate('signup', {
@@ -127,7 +131,8 @@ module.exports = function(passport) {
     router.get('/event-create', isAuthenticated, function(req, res) {
         res.render('event-create', {
             user: req.user,
-            isEventActive: 'active'
+            isEventActive: 'active',
+            csrfToken: req.csrfToken()
         });
     });
 
@@ -155,7 +160,8 @@ module.exports = function(passport) {
                 res.render('event-edit', {
                     user: req.user,
                     isEventActive: 'active',
-                    event: event
+                    event: event,
+                    csrfToken: req.csrfToken()
                 });
             }
         });
@@ -237,7 +243,8 @@ module.exports = function(passport) {
             res.render('talk-create', {
                 user: req.user,
                 isTalkActive: 'active',
-                event: event
+                event: event,
+                csrfToken: req.csrfToken()
             });
         });
     });
@@ -274,7 +281,8 @@ module.exports = function(passport) {
                             user: req.user,
                             isTalkActive: 'active',
                             talk: talk,
-                            events: eventObjs
+                            events: eventObjs,
+                            csrfToken: req.csrfToken()
                         });
                     }
                 });

views/event-create.jade

@@ -3,6 +3,7 @@ extends layout
 block content
     div.container-fluid
         form(class='form-horizontal', role='form', action='/event-new', method='POST')
+            input(type="hidden", name="_csrf", value="#{csrfToken}")
             div.form-group
                 label(for='event-name', class='control-label col-sm-2') Name
                 div.col-sm-10

views/event-edit.jade

@@ -3,6 +3,7 @@ extends layout
 block content
     div.container-fluid
         form(class='form-horizontal', role='form', action='/event-update', method='POST')
+            input(type="hidden", name="_csrf", value="#{csrfToken}")
             div.form-group
                 label(for='event-name', class='control-label col-sm-2') Name
                 div.col-sm-10

views/layout.jade

@@ -34,6 +34,7 @@ html
                                 li
                                     a(href='/signup') Sign up!
                             form(class='navbar-form navbar-right', role='login', action='/login', method='POST')
+                                input(type="hidden", name="_csrf", value="#{csrfToken}")
                                 div.form-group
                                     input(type='text', name='email', class='form-control', placeholder='email')
                                     input(type='password', name='password', class='form-control', placeholder='password')

views/register.jade

@@ -3,6 +3,7 @@ extends layout
 block content
     div.container-fluid
         form(class='form-horizontal', role='form', action='/signup', method='POST')
+            input(type="hidden", name="_csrf", value="#{csrfToken}")
             div.form-group
                 label(for='user-name', class='control-label col-sm-2') Name
                 div.col-sm-10

views/talk-create.jade

@@ -3,6 +3,7 @@ extends layout
 block content
     div.container-fluid
         form(class='form-horizontal', role='form', action='/talk-new', method='POST')
+            input(type="hidden", name="_csrf", value="#{csrfToken}")
             div.form-group
                 label(for='talk-name', class='control-label col-sm-2') Name
                 div.col-sm-10

views/talk-edit.jade

@@ -3,6 +3,7 @@ extends layout
 block content
     div.container-fluid
         form(class='form-horizontal', role='form', action='/talk-update', method='POST')
+            input(type="hidden", name="_csrf", value="#{csrfToken}")
             div.form-group
                 label(for='talk-name', class='control-label col-sm-2') Name
                 div.col-sm-10