diff --git a/web/app.js b/web/app.js index 84429ad..df57e3f 100644 --- a/web/app.js +++ b/web/app.js @@ -17,7 +17,7 @@ import debugname from 'debug'; const debug = debugname('hostr-web'); const router = new Router(); -router.use(errors({template: path.join(__dirname, 'public', '404.html')})); +router.use(errors({template: path.join(__dirname, 'public', 'error.html')})); let statsdOpts = {prefix: 'hostr-web', host: process.env.STATSD_HOST || 'localhost'}; router.use(stats(statsdOpts)); @@ -39,6 +39,8 @@ router.use(function* (next) { yield next; }); +router.use(csrf()); + router.use(views('views', { default: 'ejs' })); diff --git a/web/public/50x.html b/web/public/50x.html index d8dd755..8decaf1 100644 --- a/web/public/50x.html +++ b/web/public/50x.html @@ -21,7 +21,7 @@
-

<%=err.status%>

+

500

Sorry, It looks like you've hit an unexpected error.

Refreshing might fix the problem. If not, sit tight! We're on it!

diff --git a/web/public/error.html b/web/public/error.html new file mode 100644 index 0000000..1de9e73 --- /dev/null +++ b/web/public/error.html @@ -0,0 +1,47 @@ + + + + + + + Hostr - File not found + + + + + + +
+
+
+ +
+
+
+
+

{{ status }}

+ {% if status >= 500 %} +

{{ error }}

+

Refreshing might fix the problem. If not, sit tight! We're on it!

+ {% elseif status === 404 %} +

Sorry, it looks like the file you asked for is gone.

+ Take Me Home + {% else %} +

{{ error }}

+ Take Me Home + {% endif %} +

+
+
+
+ + + + diff --git a/web/routes/pro.js b/web/routes/pro.js index fd20710..61da1d9 100644 --- a/web/routes/pro.js +++ b/web/routes/pro.js @@ -65,6 +65,7 @@ export function* create() { } export function* cancel() { + this.assertCSRF(); const Users = this.db.Users; const user = yield Users.findOne({_id: this.session.user.id}); diff --git a/web/routes/user.js b/web/routes/user.js index 8209cad..677bae7 100644 --- a/web/routes/user.js +++ b/web/routes/user.js @@ -4,8 +4,9 @@ export function* signin() { if (!this.request.body.email) { return yield this.render('signin', {csrf: this.csrf}); } - this.statsd.incr('auth.attempt', 1); + this.statsd.incr('auth.attempt', 1); + this.assertCSRF(this.request.body); const user = yield authenticate.call(this, this.request.body.email, this.request.body.password); if(!user) { this.statsd.incr('auth.failure', 1); @@ -25,6 +26,7 @@ export function* signup() { return yield this.render('signup', {csrf: this.csrf}); } + this.assertCSRF(this.request.body); if (this.request.body.email !== this.request.body.confirm_email) { return yield this.render('signup', {error: 'Emails do not match.', csrf: this.csrf}); } else if (this.request.body.email && !this.request.body.terms) { @@ -41,13 +43,19 @@ export function* signup() { return yield this.render('signup', {error: e.message, csrf: this.csrf}); } this.statsd.incr('auth.signup', 1); - return yield this.render('signup', {message: 'Thanks for signing up, we\'ve sent you an email to activate your account.'}); + return yield this.render('signup', {message: 'Thanks for signing up, we\'ve sent you an email to activate your account.', csrf: ''}); } -export function* forgot(token) { +export function* forgot() { const Reset = this.db.Reset; const Users = this.db.Users; + if (this.request.body) { + return yield this.render('forgot', {token: null, csrf: this.csrf}); + } + const token = this.params.token; + + this.assertCSRF(this.request.body); if (this.request.body.email) { var email = this.request.body.email; yield sendResetToken.call(this, email); @@ -87,9 +95,12 @@ export function* logout() { } -export function* activate(code) { +export function* activate() { + const code = this.params.code; if (yield activateUser.call(this, code)) { this.statsd.incr('auth.activation', 1); + this.redirect('/'); + } else { + this.throw(400); } - this.redirect('/'); }