diff --git a/web/app.js b/web/app.js
index 84429ad..df57e3f 100644
--- a/web/app.js
+++ b/web/app.js
@@ -17,7 +17,7 @@ import debugname from 'debug';
const debug = debugname('hostr-web');
const router = new Router();
-router.use(errors({template: path.join(__dirname, 'public', '404.html')}));
+router.use(errors({template: path.join(__dirname, 'public', 'error.html')}));
let statsdOpts = {prefix: 'hostr-web', host: process.env.STATSD_HOST || 'localhost'};
router.use(stats(statsdOpts));
@@ -39,6 +39,8 @@ router.use(function* (next) {
yield next;
});
+router.use(csrf());
+
router.use(views('views', {
default: 'ejs'
}));
diff --git a/web/public/50x.html b/web/public/50x.html
index d8dd755..8decaf1 100644
--- a/web/public/50x.html
+++ b/web/public/50x.html
@@ -21,7 +21,7 @@
-
<%=err.status%>
+
500
Sorry, It looks like you've hit an unexpected error.
Refreshing might fix the problem. If not, sit tight! We're on it!
diff --git a/web/public/error.html b/web/public/error.html
new file mode 100644
index 0000000..1de9e73
--- /dev/null
+++ b/web/public/error.html
@@ -0,0 +1,47 @@
+
+
+
+
+
+
+
Hostr - File not found
+
+
+
+
+
+
+
+
+
+
+

+
+
+
+
+
+
{{ status }}
+ {% if status >= 500 %}
+
{{ error }}
+
Refreshing might fix the problem. If not, sit tight! We're on it!
+ {% elseif status === 404 %}
+
Sorry, it looks like the file you asked for is gone.
+
Take Me Home
+ {% else %}
+
{{ error }}
+
Take Me Home
+ {% endif %}
+
+
+
+
+
+
+
+
diff --git a/web/routes/pro.js b/web/routes/pro.js
index fd20710..61da1d9 100644
--- a/web/routes/pro.js
+++ b/web/routes/pro.js
@@ -65,6 +65,7 @@ export function* create() {
}
export function* cancel() {
+ this.assertCSRF();
const Users = this.db.Users;
const user = yield Users.findOne({_id: this.session.user.id});
diff --git a/web/routes/user.js b/web/routes/user.js
index 8209cad..677bae7 100644
--- a/web/routes/user.js
+++ b/web/routes/user.js
@@ -4,8 +4,9 @@ export function* signin() {
if (!this.request.body.email) {
return yield this.render('signin', {csrf: this.csrf});
}
- this.statsd.incr('auth.attempt', 1);
+ this.statsd.incr('auth.attempt', 1);
+ this.assertCSRF(this.request.body);
const user = yield authenticate.call(this, this.request.body.email, this.request.body.password);
if(!user) {
this.statsd.incr('auth.failure', 1);
@@ -25,6 +26,7 @@ export function* signup() {
return yield this.render('signup', {csrf: this.csrf});
}
+ this.assertCSRF(this.request.body);
if (this.request.body.email !== this.request.body.confirm_email) {
return yield this.render('signup', {error: 'Emails do not match.', csrf: this.csrf});
} else if (this.request.body.email && !this.request.body.terms) {
@@ -41,13 +43,19 @@ export function* signup() {
return yield this.render('signup', {error: e.message, csrf: this.csrf});
}
this.statsd.incr('auth.signup', 1);
- return yield this.render('signup', {message: 'Thanks for signing up, we\'ve sent you an email to activate your account.'});
+ return yield this.render('signup', {message: 'Thanks for signing up, we\'ve sent you an email to activate your account.', csrf: ''});
}
-export function* forgot(token) {
+export function* forgot() {
const Reset = this.db.Reset;
const Users = this.db.Users;
+ if (this.request.body) {
+ return yield this.render('forgot', {token: null, csrf: this.csrf});
+ }
+ const token = this.params.token;
+
+ this.assertCSRF(this.request.body);
if (this.request.body.email) {
var email = this.request.body.email;
yield sendResetToken.call(this, email);
@@ -87,9 +95,12 @@ export function* logout() {
}
-export function* activate(code) {
+export function* activate() {
+ const code = this.params.code;
if (yield activateUser.call(this, code)) {
this.statsd.incr('auth.activation', 1);
+ this.redirect('/');
+ } else {
+ this.throw(400);
}
- this.redirect('/');
}