Update connect and bring in standalone csrf package

balderdashy · Jun 17, 2016 · 1d3c9e6 · 1d3c9e6
1 parent 98861ef
commit 1d3c9e6
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 21 deletions.
diff --git a/lib/hooks/csrf/index.js b/lib/hooks/csrf/index.js
@@ -117,29 +117,31 @@ module.exports = function(sails) {
 
           // If CSRF protection is on, run it
           if (sails.config.csrf.protectionEnabled) {
-            var connect = require('connect');
-
-            try {
-              return connect.csrf()(req, res, function() {
-                if (util.isSameOrigin(req) || allowCrossOriginCSRF) {
-                  res.locals._csrf = req.csrfToken();
-                } else {
-                  res.locals._csrf = null;
-                }
+            var csrf = require('csurf');
 
-                next();
-              });
-            } catch(err) {
-              // Only attempt to handle invalid csrf tokens
-              if (err.message != 'invalid csrf token') throw err;
+            return csrf()(req, res, function(err) {
+              if (err) {
+                // Only attempt to handle invalid csrf tokens
+                if (err.code !== 'EBADCSRFTOKEN') {
+                  throw err;
+                }
+                // Return an Access-Control-Allow-Origin header in case this is a xdomain request
+                if (req.headers.origin) {
+                  res.set('Access-Control-Allow-Origin', req.headers.origin);
+                  res.set('Access-Control-Allow-Credentials', true);
+                }
+                return res.forbidden('CSRF mismatch');
+              }
 
-              // Return an Access-Control-Allow-Origin header in case this is a xdomain request
-              if (req.headers.origin) {
-                res.set('Access-Control-Allow-Origin', req.headers.origin);
-                res.set('Access-Control-Allow-Credentials', true);
+              if (util.isSameOrigin(req) || allowCrossOriginCSRF) {
+                res.locals._csrf = req.csrfToken();
+              } else {
+                res.locals._csrf = null;
               }
-              return res.forbidden("CSRF mismatch");
-            }
+
+              next();
+            });
+
           }
 
           // Always ok

diff --git a/package.json b/package.json
@@ -34,12 +34,13 @@
     "chalk": "1.1.3",
     "commander": "2.9.0",
     "compression": "1.6.2",
-    "connect": "2.30.0",
+    "connect": "3.4.1",
     "connect-flash": "0.1.1",
     "consolidate": "0.14.1",
     "cookie": "0.1.2",
     "cookie-parser": "1.3.5",
     "cookie-signature": "1.0.6",
+    "csurf": "1.9.0",
     "ejs": "2.3.4",
     "ejs-locals": "1.0.2",
     "express": "3.21.2",