From b94beb7229a6129a184805a7bd3d0869d79dc357 Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Mon, 31 Aug 2020 23:28:10 +0300
Subject: [PATCH 1/2] Fix Post based CSRF

---
 app/controllers/account.js             |  3 +++
 app/middlewares/requireLogin.js        | 10 ++++++++++
 media/js/views/modals.js               |  6 ++++--
 media/js/views/upload.js               |  3 ++-
 package.json                           |  1 +
 templates/chat.html                    |  1 +
 templates/includes/modals/account.html |  1 +
 templates/includes/modals/profile.html |  1 +
 8 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/app/controllers/account.js b/app/controllers/account.js
index 7d653641d..a8b6a4caa 100644
--- a/app/controllers/account.js
+++ b/app/controllers/account.js
@@ -5,6 +5,7 @@
 'use strict';
 
 var _ = require('lodash'),
+    {randomBytes} = require('crypto'),
     fs = require('fs'),
     psjon = require('./../../package.json'),
     auth = require('./../auth/index'),
@@ -25,6 +26,7 @@ module.exports = function() {
     // Routes
     //
     app.get('/', middlewares.requireLogin.redirect, function(req, res) {
+        res.locals.csrfToken = req.session._csrf ;
         res.render('chat.html', {
             account: req.user,
             settings: settings,
@@ -316,6 +318,7 @@ module.exports = function() {
                             });
                         }
                         req.session.passport = temp;
+                        req.session._csrf = randomBytes(100).toString('base64').replace(/\//g,'_').replace(/\+/g,'-').replace(/=/g,'~');
                         res.json({
                             status: 'success',
                             message: 'Logging you in...'
diff --git a/app/middlewares/requireLogin.js b/app/middlewares/requireLogin.js
index 5d7785e96..4bbccae23 100644
--- a/app/middlewares/requireLogin.js
+++ b/app/middlewares/requireLogin.js
@@ -8,6 +8,16 @@ var passport = require('passport');
 
 function getMiddleware(fail) {
     return function(req, res, next) {
+
+        if(req.method=='POST'){
+            var fields = req.body || req.data;
+            var csrfToken = fields._csrf || fields['_csrf'] || req.headers['xcsrf-token'];
+            if(csrfToken !== req.session._csrf){
+                res.sendStatus(401);
+                return;
+            }
+        }
+
         if (req.user) {
             next();
             return;
diff --git a/media/js/views/modals.js b/media/js/views/modals.js
index 6ac2c12c7..aa71a55e0 100644
--- a/media/js/views/modals.js
+++ b/media/js/views/modals.js
@@ -129,7 +129,8 @@
         },
         getToken: function() {
             var that = this;
-            $.post('./account/token/generate', function(data) {
+            var token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
+            $.post('./account/token/generate', {_csrf: token}, function(data) {
                 if (data.token) {
                     that.$('.token').val(data.token);
                     that.$('.generated-token').show();
@@ -138,7 +139,8 @@
         },
         removeToken: function() {
             var that = this;
-            $.post('./account/token/revoke', function(data) {
+            var token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
+            $.post('./account/token/revoke', {_csrf: token}, function(data) {
                 that.refresh();
                 swal('Success', 'Authentication token revoked!', 'success');
             });
diff --git a/media/js/views/upload.js b/media/js/views/upload.js
index 2b9a54c15..521faf694 100644
--- a/media/js/views/upload.js
+++ b/media/js/views/upload.js
@@ -38,7 +38,8 @@ Dropzone && (Dropzone.autoDiscover = false);
                 dictRemoveFile: 'Remove',
                 parallelUploads: 8,
                 maxFiles: 8,
-                previewTemplate: this.template
+                previewTemplate: this.template,
+                headers: {'xcsrf-token': document.querySelector('meta[name="csrf-token"]').getAttribute('content')}
             });
             this.dropzone
                 .on('sending', _.bind(this.sending, this))
diff --git a/package.json b/package.json
index 475381a00..25c58c6f2 100644
--- a/package.json
+++ b/package.json
@@ -69,6 +69,7 @@
     "connect-assets": "^5.3.0",
     "connect-mongo": "^1.2.1",
     "cookie-parser": "^1.4.3",
+    "crypto": "^1.0.1",
     "express.oi": "0.0.21",
     "helmet": "^2.1.1",
     "i18n": "^0.8.3",
diff --git a/templates/chat.html b/templates/chat.html
index 4ace7ca04..e71f06544 100644
--- a/templates/chat.html
+++ b/templates/chat.html
@@ -18,6 +18,7 @@
 <% endblock %>
 
 <% block body %>
+    <meta name="csrf-token" content="<$ csrfToken $>">
     <div id="lcb-client" class="lcb-client">
         <div class="lcb-header">
             <button type="button" class="btn lcb-header-toggle">
diff --git a/templates/includes/modals/account.html b/templates/includes/modals/account.html
index 7c810f976..f44ff1c7b 100644
--- a/templates/includes/modals/account.html
+++ b/templates/includes/modals/account.html
@@ -3,6 +3,7 @@
         <div class="modal-content">
             <form action="./account/settings" method="post"
                 class="validate form-horizontal">
+                <input type="hidden" name="_csrf" value="<$ csrfToken $>" />
                 <div class="modal-header">
                     <button type="button" class="close"
                         data-dismiss="modal" aria-hidden="true">&times;</button>
diff --git a/templates/includes/modals/profile.html b/templates/includes/modals/profile.html
index 1e2239a67..100011047 100644
--- a/templates/includes/modals/profile.html
+++ b/templates/includes/modals/profile.html
@@ -2,6 +2,7 @@
     <div class="modal-dialog">
         <div class="modal-content">
             <form class="validate form-horizontal" action="./account/profile" method="POST">
+                <input type="hidden" name="_csrf" value="<$ csrfToken $>" />
                 <div class="modal-header">
                     <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
                     <h4 class="modal-title"><i class="icon-edit"></i> <$ __('Profile Settings') $></h4>

From 8d94456e5b47e5acfbfd2028ea63a9a63b16cf5c Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 4 Sep 2020 13:20:00 +0300
Subject: [PATCH 2/2] Update to use csrf package

---
 app/controllers/account.js      | 8 +++++---
 app/middlewares/requireLogin.js | 4 +++-
 package.json                    | 2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/app/controllers/account.js b/app/controllers/account.js
index a8b6a4caa..91f110061 100644
--- a/app/controllers/account.js
+++ b/app/controllers/account.js
@@ -5,13 +5,15 @@
 'use strict';
 
 var _ = require('lodash'),
-    {randomBytes} = require('crypto'),
+    Tokens = require('csrf'),
     fs = require('fs'),
     psjon = require('./../../package.json'),
     auth = require('./../auth/index'),
     path = require('path'),
     settings = require('./../config');
 
+var tokens = new Tokens();
+
 module.exports = function() {
 
     var app = this.app,
@@ -26,7 +28,7 @@ module.exports = function() {
     // Routes
     //
     app.get('/', middlewares.requireLogin.redirect, function(req, res) {
-        res.locals.csrfToken = req.session._csrf ;
+        res.locals.csrfToken = tokens.create(req.session._csrf);
         res.render('chat.html', {
             account: req.user,
             settings: settings,
@@ -318,7 +320,7 @@ module.exports = function() {
                             });
                         }
                         req.session.passport = temp;
-                        req.session._csrf = randomBytes(100).toString('base64').replace(/\//g,'_').replace(/\+/g,'-').replace(/=/g,'~');
+                        req.session._csrf = tokens.secretSync()
                         res.json({
                             status: 'success',
                             message: 'Logging you in...'
diff --git a/app/middlewares/requireLogin.js b/app/middlewares/requireLogin.js
index 4bbccae23..1bd60cd23 100644
--- a/app/middlewares/requireLogin.js
+++ b/app/middlewares/requireLogin.js
@@ -5,6 +5,8 @@
 'use strict';
 
 var passport = require('passport');
+var Tokens = require('csrf');
+var tokens = new Tokens();
 
 function getMiddleware(fail) {
     return function(req, res, next) {
@@ -12,7 +14,7 @@ function getMiddleware(fail) {
         if(req.method=='POST'){
             var fields = req.body || req.data;
             var csrfToken = fields._csrf || fields['_csrf'] || req.headers['xcsrf-token'];
-            if(csrfToken !== req.session._csrf){
+            if(!tokens.verify(req.session._csrf, csrfToken)){
                 res.sendStatus(401);
                 return;
             }
diff --git a/package.json b/package.json
index 25c58c6f2..50f519859 100644
--- a/package.json
+++ b/package.json
@@ -69,7 +69,7 @@
     "connect-assets": "^5.3.0",
     "connect-mongo": "^1.2.1",
     "cookie-parser": "^1.4.3",
-    "crypto": "^1.0.1",
+    "csrf": "^3.1.0",
     "express.oi": "0.0.21",
     "helmet": "^2.1.1",
     "i18n": "^0.8.3",