Added new modules to help prevent Cross Site Request Forgery

[sdnc/oam.git] / admportal / server / router / routes / user.js

diff --git a/admportal/server/router/routes/user.js b/admportal/server/router/routes/user.js
index 116bf93..df5f860 100644 (file)
--- a/admportal/server/router/routes/user.js
+++ b/admportal/server/router/routes/user.js
@@ -5,8 +5,13 @@ var util = require('util');
 var fs = require('fs');
 var dbRoutes = require('./dbRoutes');
 var csp = require('./csp');
+var cookieParser = require('cookie-parser');
+var csrf = require('csurf');
 var bodyParser = require('body-parser');
-var sax = require('sax'),strict=true,parser = sax.parser(strict);
+//var sax = require('sax'),strict=true,parser = sax.parser(strict);
+
+var csrfProtection = csrf({cookie: true});
+router.use(cookieParser());
 
 // SVC_LOGIC table columns
 var _module=''; // cannot use module its a reserved word
@@ -17,20 +22,25 @@ var xmlfile='';
 
 
 //router.use(bodyParser());
-router.use(bodyParser.urlencoded({
-  extended: true
-}));
+router.use(bodyParser.urlencoded({ extended: true }));
 
 
 // GET
 router.get('/listUsers', csp.checkAuth, function(req,res) {
        dbRoutes.listUsers(req,res, {user:req.session.loggedInAdmin,code:'', msg:''} );
 });
-router.get('/deleteUser', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
+// POST
+router.post('/updateUser', csp.checkAuth, csrfProtection, function(req,res,next){
+       dbRoutes.updateUser(req,res,{code:'',msg:''});
+});
+router.post('/addUser', csp.checkAuth, csrfProtection, function(req,res) {
+       dbRoutes.addUser(req,res, {code:'', msg:''} );
+});
+router.get('/deleteUser', csp.checkAuth, csrfProtection, function(req,res) {
        dbRoutes.deleteUser(req,res, {code:'', msg:''} );
 });
 
-//router.get('/activate', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+//router.get('/activate', csp.checkAuth, function(req,res){
 
        //var _module = req.query.module;
        //var rpc = req.query.rpc;
@@ -40,7 +50,7 @@ router.get('/deleteUser', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
        //dbRoutes.activate(req,res,_module,rpc,version,mode);
 //});
 
-//router.get('/deactivate', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+//router.get('/deactivate', csp.checkAuth, function(req,res){
 
        //var _module = req.query.module;
        //var rpc = req.query.rpc;
@@ -50,7 +60,7 @@ router.get('/deleteUser', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
        //dbRoutes.deactivate(req,res,_module,rpc,version,mode);
 //});
 
-//router.get('/deleteDG', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+//router.get('/deleteDG', csp.checkAuth, function(req,res){
 
        //var _module = req.query.module;
        //var rpc = req.query.rpc;
@@ -93,15 +103,8 @@ parser.onend = function () {
 */
 
 
-// POST
-router.post('/updateUser', csp.checkAuth, dbRoutes.checkDB, function(req,res,next){
-       dbRoutes.updateUser(req,res,{code:'',msg:''});
-});
-router.post('/addUser', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
-       dbRoutes.addUser(req,res, {code:'', msg:''} );
-});
 
-//router.post('/upload', csp.checkAuth, dbRoutes.checkDB, function(req, res, next){
+//router.post('/upload', csp.checkAuth, function(req, res, next){
 
 /*
 logger.debug("upload");