Skip to content

Commit

Permalink
csrf token
Browse files Browse the repository at this point in the history
  • Loading branch information
@singharaj-usai
singharaj-usai committed Oct 11, 2024
1 parent 54655ab commit 38d0b88
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 5 deletions.
7 changes: 7 additions & 0 deletions client/js/auth/auth.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@ $.getScript('/js/version.js', function() {
VERSION = window.VERSION;
});

let csrfToken = '';

$.get('/api/auth/csrf-token', function(data) {
csrfToken = data.csrfToken;
});

// Main application object
const App = {
// Configuration
Expand Down Expand Up @@ -460,6 +466,7 @@ const App = {
url: "/api/login",
method: "POST",
data: { username, password }, //captchaResponse: turnstileResponse },
headers: { 'CSRF-Token': csrfToken }, // CSRF token
success: (response) => {
localStorage.setItem("token", response.token);
localStorage.setItem("username", response.username);
Expand Down
16 changes: 11 additions & 5 deletions server/functions/api/routes/auth.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ const bcrypt = require("bcrypt");
const { body, validationResult } = require("express-validator");
const User = require("../models/User");
const moment = require("moment-timezone");
//const csrf = require("csurf");
const csrf = require("csurf");
const csrfProtection = csrf({ cookie: true });

const requestIp = require('request-ip');
const crypto = require('crypto');
const jwt = require('jsonwebtoken');
Expand Down Expand Up @@ -141,7 +143,7 @@ const validateUser = [


// REgister account
router.post("/register-create", authLimiter, validateUser, async (req, res) => {
router.post("/register-create", csrfProtection, authLimiter, validateUser, async (req, res) => {
try {
const { username, email, password } = req.body;
console.log("Registration attempt for:", email);
Expand Down Expand Up @@ -242,7 +244,7 @@ router.get("/validate-session", async (req, res) => {


// Check if user is banned
router.get("/check-ban", authenticateToken, async (req, res) => {
router.get("/check-ban", csrfProtection, authenticateToken, async (req, res) => {
try {
const user = await User.findById(req.user.userId);
if (!user) {
Expand All @@ -259,7 +261,7 @@ const MAX_LOGIN_ATTEMPTS = 5;
const LOCK_TIME = 2 * 60 * 1000; // 2 minutes

// Login endpoint
router.post("/login", authLimiter, async (req, res) => {
router.post("/login", csrfProtection, authLimiter, async (req, res) => {
try {
const { username, password } = req.body;
// console.log("Login attempt for:", username);
Expand Down Expand Up @@ -360,7 +362,7 @@ router.post("/login", authLimiter, async (req, res) => {
});

// Logout endpoint
router.post("/logout", async (req, res) => {
router.post("/logout", csrfProtection, async (req, res) => {
if (req.user) {
await User.findByIdAndUpdate(req.user._id, { isOnline: false });
}
Expand All @@ -372,6 +374,10 @@ router.post("/logout", async (req, res) => {
});
});

router.get("/csrf-token", csrfProtection, (req, res) => {
res.json({ csrfToken: req.csrfToken() });
});

/*
router.post("/claim-daily-currency", authenticateToken, async (req, res) => {
Expand Down

0 comments on commit 38d0b88

Please sign in to comment.