From 1d3c9e6459253261e0f763d133c559641bcbfa33 Mon Sep 17 00:00:00 2001
From: Scott Gress <scottmgress@gmail.com>
Date: Fri, 17 Jun 2016 13:06:37 -0500
Subject: [PATCH] Update connect and bring in standalone csrf package

---
 lib/hooks/csrf/index.js | 42 +++++++++++++++++++++--------------------
 package.json            |  3 ++-
 2 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/lib/hooks/csrf/index.js b/lib/hooks/csrf/index.js
index 702d3c24ab..e61c4f5b3c 100644
--- a/lib/hooks/csrf/index.js
+++ b/lib/hooks/csrf/index.js
@@ -117,29 +117,31 @@ module.exports = function(sails) {
 
           // If CSRF protection is on, run it
           if (sails.config.csrf.protectionEnabled) {
-            var connect = require('connect');
-
-            try {
-              return connect.csrf()(req, res, function() {
-                if (util.isSameOrigin(req) || allowCrossOriginCSRF) {
-                  res.locals._csrf = req.csrfToken();
-                } else {
-                  res.locals._csrf = null;
-                }
+            var csrf = require('csurf');
 
-                next();
-              });
-            } catch(err) {
-              // Only attempt to handle invalid csrf tokens
-              if (err.message != 'invalid csrf token') throw err;
+            return csrf()(req, res, function(err) {
+              if (err) {
+                // Only attempt to handle invalid csrf tokens
+                if (err.code !== 'EBADCSRFTOKEN') {
+                  throw err;
+                }
+                // Return an Access-Control-Allow-Origin header in case this is a xdomain request
+                if (req.headers.origin) {
+                  res.set('Access-Control-Allow-Origin', req.headers.origin);
+                  res.set('Access-Control-Allow-Credentials', true);
+                }
+                return res.forbidden('CSRF mismatch');
+              }
 
-              // Return an Access-Control-Allow-Origin header in case this is a xdomain request
-              if (req.headers.origin) {
-                res.set('Access-Control-Allow-Origin', req.headers.origin);
-                res.set('Access-Control-Allow-Credentials', true);
+              if (util.isSameOrigin(req) || allowCrossOriginCSRF) {
+                res.locals._csrf = req.csrfToken();
+              } else {
+                res.locals._csrf = null;
               }
-              return res.forbidden("CSRF mismatch");
-            }
+
+              next();
+            });
+
           }
 
           // Always ok
diff --git a/package.json b/package.json
index 3edd37b4e2..a122fcd485 100644
--- a/package.json
+++ b/package.json
@@ -34,12 +34,13 @@
     "chalk": "1.1.3",
     "commander": "2.9.0",
     "compression": "1.6.2",
-    "connect": "2.30.0",
+    "connect": "3.4.1",
     "connect-flash": "0.1.1",
     "consolidate": "0.14.1",
     "cookie": "0.1.2",
     "cookie-parser": "1.3.5",
     "cookie-signature": "1.0.6",
+    "csurf": "1.9.0",
     "ejs": "2.3.4",
     "ejs-locals": "1.0.2",
     "express": "3.21.2",