How to use the server/utils/misc.checkCSRF function in server

To help you get started, we’ve selected a few server examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github freedomexio / rocketx-condenser / src / server / api / general.js View on Github external
router.post('/accounts', koaBody, function*() {
        if (rateLimitReq(this, this.req)) return;
        const params = this.request.body;
        const account =
            typeof params === 'string' ? JSON.parse(params) : params;
        if (!checkCSRF(this, account.csrf)) return;
        logRequest('accounts', this, { account });
        if ($STM_Config.disable_signups) {
            this.body = JSON.stringify({
                error: 'New signups are temporary disabled.',
            });
            this.status = 401;
            return;
        }

        const user_id = this.session.user;
        if (!user_id) {
            // require user to sign in with identity provider
            this.body = JSON.stringify({ error: 'Unauthorized' });
            this.status = 401;
            return;
        }
github freedomexio / rocketx-condenser / src / server / api / general.js View on Github external
router.post('/accounts', koaBody, function*() {
        if (rateLimitReq(this, this.req)) return;
        const params = this.request.body;
        const account =
            typeof params === 'string' ? JSON.parse(params) : params;
        if (!checkCSRF(this, account.csrf)) return;
        logRequest('accounts', this, { account });
        if ($STM_Config.disable_signups) {
            this.body = JSON.stringify({
                error: 'New signups are temporary disabled.',
            });
            this.status = 401;
            return;
        }

        const user_id = this.session.user;
        if (!user_id) {
            // require user to sign in with identity provider
            this.body = JSON.stringify({ error: 'Unauthorized' });
            this.status = 401;
            return;
        }
github freedomexio / rocketx-condenser / server / sign_up_pages / enter_confirm_mobile.jsx View on Github external
function* confirmMobileHandler(e) {
    if (!checkCSRF(this, this.request.body.csrf)) return;
    const confirmation_code = this.params && this.params.code
        ? this.params.code
        : this.request.body.code;
    console.log(
        "-- /confirm_mobile -->",
        this.session.uid,
        this.session.user,
        confirmation_code
    );

    const user = yield models.User.findOne({
        attributes: ['id', 'account_status'],
        where: { id: this.session.user }
    });
    if (!user) {
        this.flash = { error: "User session not found, please make sure you have cookies enabled in your browser for this website" };
github freedomexio / rocketx-condenser / src / server / api / notifications.js View on Github external
router.post('/notifications/register', koaBody, function*() {
        this.body = '';
        try {
            const params = this.request.body;
            const { csrf, account, webpush_params } =
                typeof params === 'string' ? JSON.parse(params) : params;
            if (!checkCSRF(this, csrf)) return;
            console.log(
                '-- POST /notifications/register -->',
                this.session.uid,
                account,
                webpush_params
            );
            if (!account || account !== this.session.a) return;
            if (
                !webpush_params ||
                !webpush_params.endpoint ||
                !webpush_params.endpoint.match(
                    /^https:\/\/android\.googleapis\.com/
                )
            )
                return;
            if (!webpush_params.keys || !webpush_params.keys.auth) return;
github freedomexio / rocketx-condenser / server / api / account_recovery.js View on Github external
router.post('/api/v1/request_account_recovery', koaBody, function *() {
        if (rateLimitReq(this, this.req)) return;
        let params = this.request.body;
        params = typeof(params) === 'string' ? JSON.parse(params) : params;
        if (!checkCSRF(this, params.csrf)) return;
        try {
            if (!this.session.arec) {
                console.log('-- /request_account_recovery --> this.session.arec is empty', this.session.uid);
                this.body = JSON.stringify({error: 'Unauthorized'});
                this.status = 401;
                return;
            }

            const account_recovery_record = yield models.AccountRecoveryRequest.findOne({
                attributes: ['id', 'account_name', 'provider', 'status'],
                where: {id: this.session.arec}
            });

            if (!account_recovery_record || account_recovery_record.account_name !== params.name) {
                console.log('-- /request_account_recovery --> no arec found or wrong name', this.session.uid, params.name);
                this.body = JSON.stringify({error: 'Unauthorized'});
github freedomexio / rocketx-condenser / server / api / notifications.js View on Github external
router.post('/notifications/register', koaBody, function *() {
        this.body = '';
        try {
            const params = this.request.body;
            const {csrf, account, webpush_params} = typeof(params) === 'string' ? JSON.parse(params) : params;
            if (!checkCSRF(this, csrf)) return;
            console.log('-- POST /notifications/register -->', this.session.uid, account, webpush_params);
            if (!account || account !== this.session.a) return;
            if (!webpush_params || !webpush_params.endpoint || !webpush_params.endpoint.match(/^https:\/\/android\.googleapis\.com/)) return;
            if (!webpush_params.keys || !webpush_params.keys.auth) return;
            yield Tarantool.instance().call('webpush_subscribe', account, webpush_params);
        } catch (error) {
            console.error('-- POST /notifications/register error -->', this.session.uid, error.message);
        }
    });
github freedomexio / rocketx-condenser / src / server / api / account_recovery.js View on Github external
router.post('/initiate_account_recovery', koaBody, function *() {
        if (rateLimitReq(this, this.req)) return;
        let params = this.request.body;
        params = typeof(params) === 'string' ? JSON.parse(params) : params;
        if (!checkCSRF(this, params.csrf)) return;
        console.log('-- /initiate_account_recovery -->', this.session.uid, params);
        this.session.recover_account = null;
        if (!params.account_name) {
            this.status = 500;
            this.body = 'please provide account name';
            return;
        }
        const attrs = {uid: this.session.uid, status: 'open', ...params};
        attrs.remote_ip = getRemoteIp(this.req);
        const request = yield models.AccountRecoveryRequest.create(escAttrs(attrs));
        console.log('-- /initiate_account_recovery request id -->', this.session.uid, request.id);
        this.session.arec = request.id;
        this.redirect('/connect/' + params.provider);
    });
github freedomexio / rocketx-condenser / src / server / sign_up_pages / enter_confirm_mobile.jsx View on Github external
function* confirmMobileHandler(e) {
    if (!checkCSRF(this, this.request.body.csrf)) return;
    const confirmation_code = this.params && this.params.code
        ? this.params.code
        : this.request.body.code;
    console.log(
        "-- /confirm_mobile -->",
        this.session.uid,
        this.session.user,
        confirmation_code
    );

    const user = yield models.User.findOne({
        attributes: ['id', 'account_status'],
        where: { id: this.session.user }
    });
    if (!user) {
        this.flash = { error: "User session not found, please make sure you have cookies enabled in your browser for this website" };
github freedomexio / rocketx-condenser / server / sign_up_pages / enter_confirm_mobile.jsx View on Github external
router.post("/submit_mobile", koaBody, function*() {
        if (!checkCSRF(this, this.request.body.csrf)) return;
        const user_id = this.session.user;
        if (!user_id) {
            this.flash = { error: "Your session has been interrupted, please start over" };
            this.redirect('/pick_account');
            return;
        }

        const country = this.request.body.country;
        const localPhone = this.request.body.phone;
        const enterMobileUrl = `/enter_mobile?phone=${localPhone}&country=${country}`;

        if (!country || country === "") {
            this.flash = { error: "Please select a country code" };
            this.redirect(enterMobileUrl);
            return;
        }
github freedomexio / rocketx-condenser / src / server / sign_up_pages / enter_confirm_mobile.jsx View on Github external
router.post("/submit_mobile", koaBody, function*() {
        if (!checkCSRF(this, this.request.body.csrf)) return;
        const user_id = this.session.user;
        if (!user_id) {
            this.flash = { error: "Your session has been interrupted, please start over" };
            this.redirect('/pick_account');
            return;
        }

        const country = this.request.body.country;
        const localPhone = this.request.body.phone;
        const enterMobileUrl = `/enter_mobile?phone=${localPhone}&country=${country}`;

        if (!country || country === "") {
            this.flash = { error: "Please select a country code" };
            this.redirect(enterMobileUrl);
            return;
        }