diff --git a/package-lock.json b/package-lock.json index 6970b7387..fdd2f26e9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -338,7 +338,7 @@ }, "amdefine": { "version": "1.0.1", - "resolved": "https://registry.npmjs.org/amdefine/-/amdefine-1.0.1.tgz", + "resolved": false, "integrity": "sha1-SlKCrBZHKek2Gbz9OtFR+BfOkfU=", "dev": true }, @@ -411,7 +411,7 @@ }, "assert-plus": { "version": "1.0.0", - "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", + "resolved": false, "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=" }, "assertion-error": { @@ -483,7 +483,7 @@ }, "backoff": { "version": "2.5.0", - "resolved": "https://registry.npmjs.org/backoff/-/backoff-2.5.0.tgz", + "resolved": false, "integrity": "sha1-9hbtqdPktmuMp/ynn2lXIsX44m8=", "requires": { "precond": "0.2" @@ -626,7 +626,7 @@ }, "buffer-equal-constant-time": { "version": "1.0.1", - "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz", + "resolved": false, "integrity": "sha1-+OcRMvf/5uAaXJaXpMbz5I1cyBk=" }, "buffer-fill": { @@ -641,7 +641,7 @@ }, "bunyan": { "version": "1.8.12", - "resolved": "https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz", + "resolved": false, "integrity": "sha1-8VDw9nSKvdcq6uhPBEA74u8RN5c=", "requires": { "dtrace-provider": "~0.8", @@ -767,7 +767,7 @@ }, "code-point-at": { "version": "1.1.0", - "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz", + "resolved": false, "integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=", "dev": true }, @@ -812,7 +812,7 @@ }, "concat-map": { "version": "0.0.1", - "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "resolved": false, "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=" }, "concat-stream": { @@ -1016,7 +1016,7 @@ }, "core-util-is": { "version": "1.0.2", - "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", + "resolved": false, "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=" }, "cron": { @@ -1042,46 +1042,6 @@ "resolved": "https://registry.npmjs.org/crypto-random-string/-/crypto-random-string-1.0.0.tgz", "integrity": "sha1-ojD2T1aDEOFJgAmUB5DsmVRbyn4=" }, - "csrf": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz", - "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==", - "requires": { - "rndm": "1.2.0", - "tsscmp": "1.0.6", - "uid-safe": "2.1.5" - } - }, - "csurf": { - "version": "1.11.0", - "resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz", - "integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==", - "requires": { - "cookie": "0.4.0", - "cookie-signature": "1.0.6", - "csrf": "3.1.0", - "http-errors": "~1.7.3" - }, - "dependencies": { - "cookie": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz", - "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg==" - }, - "http-errors": { - "version": "1.7.3", - "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz", - "integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==", - "requires": { - "depd": "~1.1.2", - "inherits": "2.0.4", - "setprototypeof": "1.1.1", - "statuses": ">= 1.5.0 < 2", - "toidentifier": "1.0.0" - } - } - } - }, "currently-unhandled": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/currently-unhandled/-/currently-unhandled-0.4.1.tgz", @@ -1098,7 +1058,7 @@ }, "dashdash": { "version": "1.14.1", - "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", + "resolved": false, "integrity": "sha1-hTz6D3y+L+1d4gMmuN1YEDX24vA=", "requires": { "assert-plus": "^1.0.0" @@ -1173,7 +1133,7 @@ }, "decamelize": { "version": "1.2.0", - "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz", + "resolved": false, "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=" }, "deep-eql": { @@ -1440,7 +1400,7 @@ }, "ent": { "version": "2.2.0", - "resolved": "https://registry.npmjs.org/ent/-/ent-2.2.0.tgz", + "resolved": false, "integrity": "sha1-6WQhkyWiHQX0RGai9obtbOX13R0=" }, "error-ex": { @@ -1544,7 +1504,7 @@ }, "expect.js": { "version": "0.3.1", - "resolved": "https://registry.npmjs.org/expect.js/-/expect.js-0.3.1.tgz", + "resolved": false, "integrity": "sha1-sKWaDS7/VDdUTr8M6qYBWEHQm1s=", "dev": true }, @@ -2386,7 +2346,7 @@ }, "inflight": { "version": "1.0.6", - "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "resolved": false, "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=", "requires": { "once": "^1.3.0", @@ -2422,7 +2382,7 @@ }, "is-arrayish": { "version": "0.2.1", - "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz", + "resolved": false, "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=", "dev": true }, @@ -2504,12 +2464,12 @@ }, "isarray": { "version": "1.0.0", - "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", + "resolved": false, "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=" }, "isexe": { "version": "2.0.0", - "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "resolved": false, "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=" }, "isstream": { @@ -2658,7 +2618,7 @@ }, "ldap-filter": { "version": "0.2.2", - "resolved": "https://registry.npmjs.org/ldap-filter/-/ldap-filter-0.2.2.tgz", + "resolved": false, "integrity": "sha1-8rhCvguG2jNSeYUFsx68rlkNd9A=", "requires": { "assert-plus": "0.1.5" @@ -2666,7 +2626,7 @@ "dependencies": { "assert-plus": { "version": "0.1.5", - "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-0.1.5.tgz", + "resolved": false, "integrity": "sha1-7nQAlBMALYTOxyGcasgRgS5yMWA=" } } @@ -2865,19 +2825,19 @@ "minimatch": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", - "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "integrity": "sha1-UWbihkV/AzBgZL5Ul+jbsMPTIIM=", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", + "resolved": false, "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=" }, "mkdirp": { "version": "0.5.1", - "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", + "resolved": false, "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=", "requires": { "minimist": "0.0.8" @@ -3075,7 +3035,7 @@ }, "mv": { "version": "2.1.1", - "resolved": "https://registry.npmjs.org/mv/-/mv-2.1.1.tgz", + "resolved": false, "integrity": "sha1-rmzg1vbV4KT32JN5jQPB6pVZtqI=", "optional": true, "requires": { @@ -3086,7 +3046,7 @@ "dependencies": { "glob": { "version": "6.0.4", - "resolved": "https://registry.npmjs.org/glob/-/glob-6.0.4.tgz", + "resolved": false, "integrity": "sha1-DwiGD2oVUSey+t1PnOJLGqtuTSI=", "optional": true, "requires": { @@ -3099,13 +3059,13 @@ }, "ncp": { "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ncp/-/ncp-2.0.0.tgz", + "resolved": false, "integrity": "sha1-GVoh1sRuNh0vsSgbo4uR6d9727M=", "optional": true }, "rimraf": { "version": "2.4.5", - "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.4.5.tgz", + "resolved": false, "integrity": "sha1-7nEM5dk6j9uFb7Xqj/Di11k0sto=", "optional": true, "requires": { @@ -3393,7 +3353,7 @@ }, "nopt": { "version": "3.0.6", - "resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz", + "resolved": false, "integrity": "sha1-xkZdvwirzU2zWTF/eaxopkayj/k=", "dev": true, "requires": { @@ -3442,7 +3402,7 @@ }, "number-is-nan": { "version": "1.0.1", - "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz", + "resolved": false, "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=", "dev": true }, @@ -3626,7 +3586,7 @@ }, "parse-json": { "version": "2.2.0", - "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-2.2.0.tgz", + "resolved": false, "integrity": "sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=", "dev": true, "requires": { @@ -3696,7 +3656,7 @@ }, "path-is-absolute": { "version": "1.0.1", - "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "resolved": false, "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=" }, "path-key": { @@ -3791,7 +3751,7 @@ }, "precond": { "version": "0.2.3", - "resolved": "https://registry.npmjs.org/precond/-/precond-0.2.3.tgz", + "resolved": false, "integrity": "sha1-qpWRvKokkj8eD0hJ0kD0fvwQdaw=" }, "pretty-bytes": { @@ -3859,7 +3819,7 @@ }, "pseudomap": { "version": "1.0.2", - "resolved": "https://registry.npmjs.org/pseudomap/-/pseudomap-1.0.2.tgz", + "resolved": false, "integrity": "sha1-8FKijacOYYkX7wqKw0wa5aaChrM=", "dev": true }, @@ -4127,7 +4087,7 @@ }, "require-directory": { "version": "2.1.1", - "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", + "resolved": false, "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=" }, "require-main-filename": { @@ -4170,11 +4130,6 @@ "glob": "^7.1.3" } }, - "rndm": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz", - "integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w=" - }, "s3-block-read-stream": { "version": "0.5.0", "resolved": "https://registry.npmjs.org/s3-block-read-stream/-/s3-block-read-stream-0.5.0.tgz", @@ -4436,7 +4391,7 @@ }, "set-blocking": { "version": "2.0.0", - "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", + "resolved": false, "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=" }, "setprototypeof": { @@ -4496,7 +4451,7 @@ }, "signal-exit": { "version": "3.0.2", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz", + "resolved": false, "integrity": "sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0=" }, "slide": { @@ -4595,7 +4550,7 @@ }, "sprintf-js": { "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "resolved": false, "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" }, "sqlstring": { @@ -4762,7 +4717,7 @@ }, "stubs": { "version": "3.0.0", - "resolved": "https://registry.npmjs.org/stubs/-/stubs-3.0.0.tgz", + "resolved": false, "integrity": "sha1-6NK6H6nJBXAwPAMLaQD31fiavls=" }, "superagent": { @@ -5059,7 +5014,7 @@ }, "typedarray": { "version": "0.0.6", - "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", + "resolved": false, "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=" }, "uid-safe": { @@ -5141,7 +5096,7 @@ }, "util-deprecate": { "version": "1.0.2", - "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "resolved": false, "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=" }, "utile": { @@ -5201,7 +5156,7 @@ }, "vasync": { "version": "1.6.4", - "resolved": "https://registry.npmjs.org/vasync/-/vasync-1.6.4.tgz", + "resolved": false, "integrity": "sha1-3+k2Fq0OeugBszKp2Iv8XNyOHR8=", "requires": { "verror": "1.6.0" @@ -5209,7 +5164,7 @@ "dependencies": { "verror": { "version": "1.6.0", - "resolved": "https://registry.npmjs.org/verror/-/verror-1.6.0.tgz", + "resolved": false, "integrity": "sha1-fROyex+swuLakEBetepuW90lLqU=", "requires": { "extsprintf": "1.2.0" @@ -5219,7 +5174,7 @@ }, "verror": { "version": "1.10.0", - "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", + "resolved": false, "integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=", "requires": { "assert-plus": "^1.0.0", @@ -5242,7 +5197,7 @@ }, "which-module": { "version": "2.0.0", - "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.0.tgz", + "resolved": false, "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=" }, "wide-align": { @@ -5329,7 +5284,7 @@ }, "wrappy": { "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "resolved": false, "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" }, "write-file-atomic": { diff --git a/package.json b/package.json index 7229c4954..11803ebdb 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,6 @@ "cookie-parser": "^1.4.4", "cookie-session": "^1.4.0", "cron": "^1.8.2", - "csurf": "^1.11.0", "db-migrate": "^0.11.6", "db-migrate-mysql": "^1.1.10", "debug": "^4.1.1", diff --git a/src/middleware/index.js b/src/middleware/index.js index f30eae618..6a6a9da6f 100644 --- a/src/middleware/index.js +++ b/src/middleware/index.js @@ -3,7 +3,6 @@ exports = module.exports = { cookieParser: require('cookie-parser'), cors: require('./cors'), - csrf: require('csurf'), json: require('body-parser').json, morgan: require('morgan'), proxy: require('proxy-middleware'), diff --git a/src/oauth2views/account_setup.ejs b/src/oauth2views/account_setup.ejs index 09c15ccd2..b5c6afea2 100644 --- a/src/oauth2views/account_setup.ejs +++ b/src/oauth2views/account_setup.ejs @@ -28,7 +28,6 @@ app.controller('Controller', ['$scope', function ($scope) {
- diff --git a/src/oauth2views/login.ejs b/src/oauth2views/login.ejs index 45849aa84..15d25c179 100644 --- a/src/oauth2views/login.ejs +++ b/src/oauth2views/login.ejs @@ -22,7 +22,6 @@
-
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js index 2237cce30..500d6b531 100644 --- a/src/routes/oauth2.js +++ b/src/routes/oauth2.js @@ -10,8 +10,7 @@ exports = module.exports = { accountSetupSite: accountSetupSite, accountSetup: accountSetup, authorization: authorization, - token: token, - csrf: csrf + token: token }; var apps = require('../apps.js'), @@ -25,7 +24,6 @@ var apps = require('../apps.js'), eventlog = require('../eventlog.js'), hat = require('../hat.js'), HttpError = require('connect-lastmile').HttpError, - middleware = require('../middleware/index.js'), oauth2orize = require('oauth2orize'), passport = require('passport'), querystring = require('querystring'), @@ -203,7 +201,6 @@ function loginForm(req, res) { var error = req.query.error || null; renderTemplate(res, 'login', { - csrf: req.csrfToken(), applicationName: applicationName, applicationLogo: applicationLogo, error: error, @@ -316,7 +313,6 @@ function renderAccountSetupSite(res, req, userObject, error) { renderTemplate(res, 'account_setup', { user: userObject, error: error, - csrf: req.csrfToken(), resetToken: req.query.reset_token || req.body.resetToken, email: req.query.email || req.body.email, title: 'Account Setup' @@ -460,15 +456,3 @@ function token() { gServer.errorHandler() ]; } - -// Cross-site request forgery protection middleware for login form -function csrf() { - return [ - middleware.csrf(), - function (err, req, res, next) { - if (err.code !== 'EBADCSRFTOKEN') return next(err); - - sendErrorPageOrRedirect(req, res, 'Form expired'); - } - ]; -} diff --git a/src/routes/test/clients-test.js b/src/routes/test/clients-test.js index 9f38cbe25..edf28180f 100644 --- a/src/routes/test/clients-test.js +++ b/src/routes/test/clients-test.js @@ -356,14 +356,6 @@ describe('Clients', function () { resetToken: hat(256) }; - // make csrf always succeed for testing - oauth2.csrf = function () { - return function (req, res, next) { - req.csrfToken = function () { return hat(256); }; - next(); - }; - }; - function setup2(done) { async.series([ setup, diff --git a/src/routes/test/oauth2-test.js b/src/routes/test/oauth2-test.js index ae2e42c80..4823a7056 100644 --- a/src/routes/test/oauth2-test.js +++ b/src/routes/test/oauth2-test.js @@ -204,14 +204,6 @@ describe('OAuth2', function () { scope: accesscontrol.SCOPE_PROFILE }; - // make csrf always succeed for testing - oauth2.csrf = function () { - return function (req, res, next) { - req.csrfToken = function () { return hat(256); }; - next(); - }; - }; - function setup(done) { async.series([ server.start, @@ -1298,14 +1290,6 @@ describe('Password', function () { source: '' }; - // make csrf always succeed for testing - oauth2.csrf = function () { - return function (req, res, next) { - req.csrfToken = function () { return hat(256); }; - next(); - }; - }; - function setup(done) { async.series([ server.start, diff --git a/src/server.js b/src/server.js index f69e5ed4b..c5850643e 100644 --- a/src/server.js +++ b/src/server.js @@ -128,9 +128,6 @@ function initializeExpressSync() { const verifyDomainLock = routes.domains.verifyDomainLock; - // csrf protection - var csrf = routes.oauth2.csrf(); - // public routes router.post('/api/v1/cloudron/setup', routes.provision.providerTokenAuth, routes.provision.setup); // only available until no-domain router.post('/api/v1/cloudron/restore', routes.provision.restore); // only available until activated @@ -223,12 +220,12 @@ function initializeExpressSync() { router.del ('/api/v1/groups/:groupId', usersManageScope, routes.groups.remove); // form based login routes used by oauth2 frame - router.get ('/api/v1/session/login', csrf, routes.oauth2.loginForm); - router.post('/api/v1/session/login', csrf, routes.oauth2.login); + router.get ('/api/v1/session/login', routes.oauth2.loginForm); + router.post('/api/v1/session/login', routes.oauth2.login); router.get ('/api/v1/session/logout', routes.oauth2.logout); router.get ('/api/v1/session/callback', routes.oauth2.sessionCallback()); - router.get ('/api/v1/session/account/setup.html', csrf, routes.oauth2.accountSetupSite); - router.post('/api/v1/session/account/setup', csrf, routes.oauth2.accountSetup); + router.get ('/api/v1/session/account/setup.html', routes.oauth2.accountSetupSite); + router.post('/api/v1/session/account/setup', routes.oauth2.accountSetup); // oauth2 routes router.get ('/api/v1/oauth/dialog/authorize', routes.oauth2.authorization());