Closed Bug 920954 Opened 12 years ago Closed 12 years ago

Add CSRF token support

Categories

(Webmaker Graveyard :: Profile, defect)

Product:
Webmaker Graveyard
Component:
Profile
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jon, Assigned: michiel)

References

Details

(Whiteboard: mozfest)

Attachments

(2 files)

https://github.com/mozilla/webmaker-profile/pull/205
52 bytes, text/x-github-pull-request
cade
: review+
Details | Review
https://github.com/mozilla/webmaker-profile-service/pull/24
59 bytes, text/x-github-pull-request
cade
: review+
Details | Review
I've disabled CSRF tokens temporarily so that we can continue to iterate on the frontend and backend, but we'll need to bring em back before we ship to prod.
Whiteboard: mozfest
Blocks: 927118
I gave this a shot, and in my opinion, profile and profile service should be one app, otherwise we're going to have to figure out cross-domain csrf. https://github.com/cadecairos/webmaker-profile-service/tree/bug920954 https://github.com/cadecairos/webmaker-profile/tree/bug920954
I'll give myself 4 hours to figure out a way to do cross-domain csrf; if I can't then we can just merge the apps.
Assignee: cade → jon
Assignee: jon → pomax
No longer blocks: 927118, 914711
I can't get a CSRF token to show up. If I add the server.use(express.csrf()) code after the cookie/body parsing, with a test route server.get('/getCSRF', function(req, res, next) { console.log(req.session); }); then there is no _csrf token, nor does req.csrfToken() resolve to anything valid. The session has a _csrfSecret attached to it, but this is not something we can use.
Assignee: pomax → jon
Assignee: jon → pomax
Blocks: 930936
Attachment #822308 - Flags: review?(cade) → review+
Attachment #822309 - Flags: review?(cade) → review+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: