aboutsummaryrefslogtreecommitdiffstats
path: root/admportal/server/router/routes/root.js
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-07-31 14:46:56 +0000
committerTimoney, Dan (dt5972) <dtimoney@att.com>2019-07-31 14:31:07 -0400
commit18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/root.js
parent33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/root.js')
-rw-r--r--admportal/server/router/routes/root.js45
1 files changed, 28 insertions, 17 deletions
diff --git a/admportal/server/router/routes/root.js b/admportal/server/router/routes/root.js
index b314d7db..78b69829 100644
--- a/admportal/server/router/routes/root.js
+++ b/admportal/server/router/routes/root.js
@@ -7,6 +7,12 @@ var os = require('os');
var async = require('async');
var OdlInterface = require('./OdlInterface');
var properties = require(process.env.SDNC_CONFIG_DIR + '/admportal.json');
+var cookieParser = require('cookie-parser')
+var csrf = require('csurf')
+var bodyParser = require('body-parser')
+
+var csrfProtection = csrf({cookie:true});
+var parseForm = bodyParser.urlencoded({ extended: false })
@@ -70,28 +76,33 @@ function createFunctionObj( loptions ) {
return function(callback) { OdlInterface.Healthcheck(loptions,callback); };
}
-router.get('/mytree', function(req,res) {
- res.render('pages/tree');
+//router.get('/mytree', function(req,res) {
+// res.render('pages/tree');
+//});
+//router.get('/setuplogin', function(req,res) {
+// res.render('pages/setuplogin');
+//});
+//router.post('/formSetupLogin', function(req,res) {
+// dbRoutes.saveSetupLogin(req,res);
+//});
+
+router.get('/login', csrfProtection, function(req,res) {
+ var tkn = req.csrfToken();
+ res.render('pages/login', {csrfToken:tkn});
+ return;
});
-router.get('/setuplogin', function(req,res) {
- res.render('pages/setuplogin');
+router.post('/formlogin', csrfProtection, function(req,res) {
+ csp.login(req,res);
});
-router.post('/formSetupLogin', function(req,res) {
- dbRoutes.saveSetupLogin(req,res);
+
+router.get('/signup', csrfProtection, function(req,res) {
+ var tkn = req.csrfToken();
+ res.render('pages/signup', {csrfToken:tkn});
});
-router.post('/formSignUp', function(req,res) {
+router.post('/formSignUp', csrfProtection, function(req,res) {
dbRoutes.saveUser(req,res);
});
-router.post('/formlogin', csp.login, function(req,res) {
-});
-router.get('/login', function(req,res) {
- res.render('pages/login');
- // handle get
-});
-router.get('/signup', function(req,res) {
- res.render('pages/signup');
- // handle get
-});
+
router.get('/info', function(req,res) {
// handle get
res.send("login info");