UNPKG

node-soc-lite

Version:

A security middleware for NodeJs(express) app to Detect OWASP Top Basic and generate report in your ThreatEquation dashboard.

www.threatequation.com

threatequation/node-soc-lite

103 lines (81 loc) 2.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
'use strict'; var token = require('./token'); var logger=require('../lib/logger'); var send= require('../lib/log_generator'); function send_log(req){ send(req,"CSRF") } /** * Function from shahadat * should generate csrf token form * @return {[string]} [hex digit string] */ function generate_csrf_token() { var current_date = (new Date()).valueOf().toString(); var random = Math.random().toString(); return crypto.createHash('sha1').update(current_date + random).digest('hex'); } module.exports = function (options) { var impl, key, header, secret, cookie; options = options || {}; if (options.angular) { options.header = 'X-XSRF-TOKEN'; options.cookie = 'XSRF-TOKEN'; } key = options.key || '_csrf'; impl = options.impl || token; header = options.header || 'x-csrf-token'; secret = options.secret || '_csrfSecret'; cookie = options.cookie; function getCsrf(req, secret) { var _impl, validate, _token, _secret; _impl = impl.create(req, secret); validate = impl.validate || _impl.validate; _token = _impl.token || _impl; _secret = _impl.secret; return { validate: validate, token: _token, secret: _secret }; } function setToken(res, token) { res.locals[key] = token; if (cookie) { res.cookie(cookie, token); } } return function checkCsrf(req, res, next) { var method, _token, errmsg; var csrf = getCsrf(req, secret); setToken(res, csrf.token); req.csrfToken = function csrfToken() { var newCsrf = getCsrf(req, secret); if (csrf.secret && newCsrf.secret && csrf.secret === newCsrf.secret) { send_log(req); return csrf.token; } csrf = newCsrf; setToken(res, csrf.token); return csrf.token; }; // Move along for safe verbs method = req.method; if (method === 'GET' || method === 'HEAD' || method === 'OPTIONS') { return next(); } // Validate token _token = (req.body && req.body[key]) || req.headers[header.toLowerCase()]; if (csrf.validate(req, _token)) { next(); } else { res.statusCode = 403; if (!_token) { errmsg = 'CSRF token missing'; } else { errmsg = 'CSRF token mismatch'; } next(new Error(errmsg)); } }; };