summaryrefslogtreecommitdiffstats
path: root/admportal/server/router/routes/csp.js
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-07-31 14:46:56 +0000
committerTimoney, Dan (dt5972) <dtimoney@att.com>2019-07-31 14:31:07 -0400
commit18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/csp.js
parent33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/csp.js')
-rw-r--r--admportal/server/router/routes/csp.js48
1 files changed, 44 insertions, 4 deletions
diff --git a/admportal/server/router/routes/csp.js b/admportal/server/router/routes/csp.js
index 435aaf91..8828052f 100644
--- a/admportal/server/router/routes/csp.js
+++ b/admportal/server/router/routes/csp.js
@@ -15,13 +15,18 @@ function logout(req,res){
function login (req,res) {
+console.log('login');
+var tkn = req.sanitize(req.body._csrf);
+console.log('login:tkn=' + tkn);
+
var loggedInAdmin={};
- var email = req.body.email;
+ var email = req.sanitize(req.body.email);
+ var pswd = req.sanitize(req.body.password);
dbRoutes.findAdminUser(email,res,function(adminUser){
if(adminUser !== null){
// make sure correct password is provided
- if (req.body.password != adminUser.password) {
+ if (pswd != adminUser.password) {
res.render("pages/login",
{
result:
@@ -36,6 +41,7 @@ function login (req,res) {
var loggedInAdmin = {
email:adminUser.email,
+ csrfToken: tkn,
password:adminUser.password,
privilege:adminUser.privilege
}
@@ -57,6 +63,7 @@ function login (req,res) {
}
function checkAuth(req,res,next){
+
var host = req.get('host');
var url = req.url;
var originalUrl = req.originalUrl;
@@ -64,8 +71,7 @@ function checkAuth(req,res,next){
console.log("checkAuth");
var host = req.headers['host'];
-console.log('host=' + host);
-
+ console.log('host=' + host);
console.log("cookie is not null "+JSON.stringify(req.session.loggedInAdmin));
if(req.session == null || req.session == undefined
|| req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined)
@@ -79,6 +85,40 @@ console.log('host=' + host);
next();
}
+function checkPriv(req,res,next)
+{
+ var priv = req.session.loggedInAdmin;
+ if(req.session == null || req.session == undefined
+ || req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined)
+ {
+ res.render("pages/err",
+ {
+ result: {code:'error', msg:'Unexpected null session.'},
+ header: process.env.MAIN_MENU
+ });
+ return;
+ }
+ else
+ {
+ if (priv.privilege == 'A')
+ {
+ next();
+ return;
+ }
+ else
+ {
+ res.render("pages/err",
+ {
+ result: { code:'error', msg:'User does not have permission to run operation.'},
+ header: process.env.MAIN_MENU
+ });
+ return;
+ }
+ }
+}
+
+
exports.login = login;
exports.logout = logout;
exports.checkAuth = checkAuth;
+exports.checkPriv = checkPriv;