Code Review / sdnc / oam.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Added new modules to help prevent Cross Site Request Forgery
[sdnc/oam.git] / admportal / server / router / routes / admin.js
diff --git a/admportal/server/router/routes/admin.js b/admportal/server/router/routes/admin.js
index 4b7b808..96c7fd8 100755 (executable)
--- a/admportal/server/router/routes/admin.js
+++ b/admportal/server/router/routes/admin.js
@@ -5,40 +5,43 @@ var util = require('util');
 var fs = require('fs');
 var dbRoutes = require('./dbRoutes');
 var csp = require('./csp');
+var cookieParser = require('cookie-parser');
 var bodyParser = require('body-parser');
 var sax = require('sax'),strict=true,parser = sax.parser(strict);
 var async = require('async');
+var csrf = require('csurf');
+
+var csrfProtection = csrf({cookie: true});
+router.use(cookieParser());
 
 
 // GET
 router.get('/getParameters', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
     dbRoutes.getParameters(req,res, {code:'', msg:''}, req.session.loggedInAdmin);
 });
-router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
+router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res) {
 
-    var privilegeObj = req.session.loggedInAdmin;
-    var tasks = [];
-    tasks.push(function(callback) {
-        dbRoutes.deleteParameter(req,res,callback);
-    });
-    async.series(tasks, function(err,result){
-        var msgArray = new Array();
-        if(err){
-            msgArray.push(err);
-            dbRoutes.getParameters(req,res,{code:'failure', msg:msgArray},privilegeObj);
-            return;
-        }
-        else {
-            msgArray.push('Row successfully deleted from PARAMETERS table.');
-            dbRoutes.getParameters(req,res,{code:'success', msg:msgArray},privilegeObj);
-            return;
-        }
-    });
+       var privilegeObj = req.session.loggedInAdmin;
+       var tasks = [];
+       tasks.push(function(callback) { dbRoutes.deleteParameter(req,res,callback); });
+       async.series(tasks, function(err,result){
+               var msgArray = new Array();
+               if(err){
+                       msgArray.push(err);
+                       dbRoutes.getParameters(req,res,{code:'failure', msg:msgArray},privilegeObj);
+                       return;
+               }
+               else {
+                       msgArray.push('Row successfully deleted from PARAMETERS table.');
+                       dbRoutes.getParameters(req,res,{code:'success', msg:msgArray},privilegeObj);
+                       return;
+               }
+       });
 });
 
 
 // POST
-router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res){
 
     var privilegeObj = req.session.loggedInAdmin;
     var tasks = [];
@@ -59,7 +62,7 @@ router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){
 });
 
 // gamma - updateAicSite
-router.post('/updateParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+router.post('/updateParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res){
 
     var privilegeObj = req.session.loggedInAdmin;
     var tasks = [];
SDNC OA&M tools