Fix emails and csrf

2018-08-11 12:08:16 +01:00 · 2018-08-11 12:08:16 +01:00 · 207c12973e
commit 207c12973e
parent c6e420893a
7 changed files with 80 additions and 138 deletions
--- a/web/app.js
+++ b/web/app.js
@ -35,7 +35,14 @@ router.use(async (ctx, next) => {
  await next();
 });

-router.use(new CSRF());
+router.use(new CSRF({
+  invalidSessionSecretMessage: 'Invalid session secret',
+  invalidSessionSecretStatusCode: 403,
+  invalidTokenMessage: 'Invalid CSRF token',
+  invalidTokenStatusCode: 403,
+  excludedMethods: ['GET', 'HEAD', 'OPTIONS'],
+  disableQuery: false,
+}));

 router.use(views(path.join(__dirname, 'views'), {
  extension: 'ejs',
--- a/web/lib/auth.js
+++ b/web/lib/auth.js
@ -4,12 +4,12 @@ import passwords from 'passwords';
 import uuid from 'node-uuid';
 import views from 'co-views';
 import debugname from 'debug';
-import sendgridInit from 'sendgrid';
+import sendgrid from '@sendgrid/mail';
 import models from '../../models';

 const render = views(join(__dirname, '..', 'views'), { default: 'ejs' });
 const debug = debugname('hostr-web:auth');
-const sendgrid = sendgridInit(process.env.SENDGRID_KEY);
+sendgrid.setApiKey(process.env.SENDGRID_KEY);

 const from = process.env.EMAIL_FROM;
 const fromname = process.env.EMAIL_NAME;
@ -133,16 +133,17 @@ ${process.env.WEB_BASE_URL}/activate/${user.activation.id}

 — Jonathan Cremin, Hostr Founder
 `;
-  const mail = new sendgrid.Email({
+  sendgrid.send({
    to: user.email,
    subject: 'Welcome to Hostr',
    from,
    fromname,
    html,
    text,
+    categories: [
+      'activate',
+    ],
  });
-  mail.addCategory('activate');
-  sendgrid.send(mail);
 }


@ -163,16 +164,17 @@ export async function sendResetToken(email) {
    const text = `It seems you've forgotten your password :(
 Visit  ${process.env.WEB_BASE_URL}/forgot/${reset.id} to set a new one.
 `;
-    const mail = new sendgrid.Email({
+    sendgrid.send({
      to: user.email,
      from: 'jonathan@hostr.co',
      fromname: 'Jonathan from Hostr',
      subject: 'Hostr Password Reset',
      html,
      text,
+      categories: [
+        'password-reset',
+      ],
    });
-    mail.addCategory('password-reset');
-    sendgrid.send(mail);
  } else {
    throw new Error('There was an error looking up your email address.');
  }
--- a/web/routes/user.js
+++ b/web/routes/user.js
@ -41,7 +41,6 @@ export async function signup(ctx) {
    return;
  }

-  ctx.assertCSRF(ctx.request.body);
  if (ctx.request.body.email !== ctx.request.body.confirm_email) {
    await ctx.render('signup', { error: 'Emails do not match.', csrf: ctx.csrf });
    return;
@ -69,7 +68,7 @@ export async function signup(ctx) {
  ctx.statsd.incr('auth.signup', 1);
  await ctx.render('signup', {
    message: 'Thanks for signing up, we\'ve sent you an email to activate your account.',
-    csrf: '',
+    csrf: ctx.csrf,
  });
 }

@ -86,7 +85,7 @@ export async function forgot(ctx) {
      });
      return;
    }
-    ctx.assertCSRF(ctx.request.body);
+
    const user = await validateResetToken(token);
    if (user) {
      await updatePassword(user.userId, ctx.request.body.password);
@ -109,7 +108,7 @@ export async function forgot(ctx) {
    }
    await ctx.render('forgot', { csrf: ctx.csrf, token });
  } else if (ctx.request.body.email) {
-    ctx.assertCSRF(ctx.request.body);
+
    try {
      const { email } = ctx.request.body;
      await sendResetToken.call(ctx, email);