blackbird-server
Version:
HTTP for JavaScript
363 lines (362 loc) • 11.3 kB
HTML
<html lang="en">
<head>
<title>Code coverage report for modules/middleware/token.js</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="../../prettify.css" />
<link rel="stylesheet" href="../../base.css" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<style type='text/css'>
.coverage-summary .sorter {
background-image: url(../../sort-arrow-sprite.png);
}
</style>
</head>
<body>
<div class='wrapper'>
<div class='pad1'>
<h1>
<a href="../../index.html">all files</a> / <a href="index.html">modules/middleware/</a> token.js
</h1>
<div class='clearfix'>
<div class='fl pad1y space-right2'>
<span class="strong">88.89% </span>
<span class="quiet">Statements</span>
<span class='fraction'>24/27</span>
</div>
<div class='fl pad1y space-right2'>
<span class="strong">86.36% </span>
<span class="quiet">Branches</span>
<span class='fraction'>19/22</span>
</div>
<div class='fl pad1y space-right2'>
<span class="strong">100% </span>
<span class="quiet">Functions</span>
<span class='fraction'>2/2</span>
</div>
<div class='fl pad1y space-right2'>
<span class="strong">88.89% </span>
<span class="quiet">Lines</span>
<span class='fraction'>24/27</span>
</div>
</div>
</div>
<div class='status-line high'></div>
<pre><table class="coverage">
<tr><td class="line-count quiet">1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100</td><td class="line-coverage quiet"><span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-no"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-yes">4×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">4×</span>
<span class="cline-any cline-no"> </span>
<span class="cline-any cline-yes">4×</span>
<span class="cline-any cline-no"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">4×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">4×</span>
<span class="cline-any cline-yes">3×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">4×</span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">3×</span>
<span class="cline-any cline-yes">2×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-neutral"> </span>
<span class="cline-any cline-yes">1×</span>
<span class="cline-any cline-neutral"> </span></td><td class="text"><pre class="prettyprint lang-js">const mach = require("../index");
const makeToken = require("../utils/makeToken");
const {is} = require("ramda");
mach.extend(
require("../extensions/server")
);
/**
* The set of HTTP request methods that are considered safe because they
* do not alter server data.
*/
const SAFE_METHODS = {
GET: true,
HEAD: true,
OPTIONS: true,
TRACE: true
};
/**
* A middleware that helps to prevent Cross-site Request Forgery attacks by
* requiring the client to include an authentication token in all form
* submissions that matches a value stored in the session cookie. See
* http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html
*
* If the session does not already have an authentication token one is
* automatically generated and stored in the session. The default session key
* is "_token". All form submissions need to include this value in the "_token"
* parameter, like this:
*
* <form method="POST" action="/">
* <input type="hidden" name="_token" value="{{session._token}}">
* </form>
*
* On the backend, you need to put both mach.session and mach.params in front of
* mach.token in order for it to be able to retrieve values from the request session
* and parameters, like this:
*
* app.use(mach.session);
* app.use(mach.params);
* app.use(mach.token);
* app.run(function (conn) {
* // The connection authenticated successfully
* });
*
* Options may be any of the following:
*
* - paramName The name of the request parameter that contains the token
* (i.e. the value of the "name" attribute on your <input>).
* Defaults to "_token"
* - sessionKey The name of the session variable to use to store the token.
* Defaults to "_token"
* - byteLength The length of the token in bytes. Defaults to 32
*
* Note: Non-POST requests are always forwarded to the downstream app regardless of
* whether or not they contain the token since it is assumed they are not modifying
* anything and are safe.
*/
function verifyToken(app, options) {
options = options || {};
<span class="missing-if-branch" title="if path not taken" >I</span>if (is(String, options)) {
<span class="cstat-no" title="statement not covered" > options = {paramName: options};</span>
}
const paramName = options.paramName || "_token";
const sessionKey = options.sessionKey || "_token";
const byteLength = options.byteLength || 32;
return function (conn) {
let session = conn.session, params = conn.params;
<span class="missing-if-branch" title="if path not taken" >I</span>if (!session) {
<span class="cstat-no" title="statement not covered" > conn.onError(new Error("No session! Use mach.session in front of mach.token"));</span>
} else <span class="missing-if-branch" title="if path not taken" >I</span>if (!params) {
<span class="cstat-no" title="statement not covered" > conn.onError(new Error("No params! Use mach.params in front of mach.token"));</span>
} else {
let token = session[sessionKey];
// Create a new session token if needed.
if (!token) {
token = session[sessionKey] = makeToken(byteLength);
}
if (params[paramName] && params[paramName] === token) {
return conn.call(app);
}
}
// If the request is not a POST we assume it's not a form submission
// and therefore not modifying anything. Pass it downstream.
if (SAFE_METHODS[conn.method] === true) {
return conn.call(app);
}
conn.text(403, "Forbidden");
};
}
module.exports = verifyToken;
</pre></td></tr>
</table></pre>
<div class='push'></div><!-- for sticky footer -->
</div><!-- /wrapper -->
<div class='footer quiet pad2 space-top1 center small'>
Code coverage
generated by <a href="http://istanbul-js.org/" target="_blank">istanbul</a> at Wed Jul 06 2016 20:37:18 GMT-0500 (CDT)
</div>
</div>
<script src="../../prettify.js"></script>
<script>
window.onload = function () {
if (typeof prettyPrint === 'function') {
prettyPrint();
}
};
</script>
<script src="../../sorter.js"></script>
</body>
</html>