Code coverage report for esecurity/lib/middleware/angularXsrf.js

Statements: 100% (33 / 33)      Branches: 95.65% (44 / 46)      Functions: 100% (7 / 7)      Lines: 100% (33 / 33)      Ignored: none     

All files » esecurity/lib/middleware/ » angularXsrf.js
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79  1       1   11 11 11 11 11     11   11   11     20 4   16   16 1   15 7         5               26 9   17             15 15     15     2   5 5 5     8 5 5     3     5      
 
var 
    utils = require('../utils'),    
    crypto = require('crypto');
 
module.exports = function AngularXsrfConstructor(opts) {
 
    opts = opts || {};
    opts.skip = opts.skip || function (req, res) {};
    opts.cookie = opts.cookie || {};
    opts.cookie.path = opts.cookie.path || '/';
    opts.log = opts.log || false;
    
    // Angular needs to read the cookie
    opts.cookie.httpOnly = false;
    
    var isLogEnable = "function" === typeof opts.log;
    
    return function angularXsrf(req, res, next) {
        
        // self-awareness
        if (req._esecurity_angularxsrf)
            return next();
 
        req._esecurity_angularxsrf = true;
        
        if ("function" == typeof opts.skip && opts.skip(req, res))
            return next();
        
        var generateToken = function () {
                return crypto.createHash('sha1').update(
                            crypto.randomBytes(35)
                        ).digest('hex');
            },
            addXsrfCookie = function () {
                res.cookie(
                    'XSRF-TOKEN',
                    req.xsrfToken(),
                    opts.cookie
                );
            },
            getXsrfToken = function (type) {
 
                if ('session' === type)
                    return req.session && req.session._esecurity_xsrf;
                
                return req.get('x-xsrf-token')
                        || (req.method === 'POST' && req.body && (req.body['xsrf-token'] || req.body['XSRF-TOKEN']))
                        || (req.method !== 'POST' && req.query && (req.query['xsrf-token'] || req.query['XSRF-TOKEN']));
 
            };
        
        // get token
        req.xsrfToken = function () {
            return req.session._esecurity_xsrf || (req.session._esecurity_xsrf = generateToken());
        };
        
        switch (req.method) {
            case 'OPTIONS':
            case 'HEAD':
                break;
            case 'GET':
                Eif (!getXsrfToken() || !getXsrfToken('session')) {
                    addXsrfCookie();
                    return next();
                }
            default:
                if (!getXsrfToken() || !getXsrfToken('session') || getXsrfToken() !== getXsrfToken('session')) {
                    isLogEnable && opts.log('[' + req.ip + '] - 403 - XSRF token does not match.', req);
                    return next(utils.error(403, 'XSRF token does not match.'));
                }
                
                break;
        }
        
        return next();
    };
};