Keystone-classic: Does it support CSRF protection ?
Does it support CSRF protection? As I see it uses cookies to store sessions.
Shadowfaxenator
All 11 comments
Yes it does, although you currently have to configure it yourself (there's no default implementation).
There are two implementations of CSRF protection for express (that I know of): the one bundled with express itself (actually connect) - http://www.senchalabs.org/connect/csrf.html - and the one in lusca from Paypal (part of the KrakenJS suite) - https://github.com/paypal/lusca
I'd like to include CSRF protection by default and make it really easy to implement with the View class.
JedWatson
on 9 Mar 2014
CSRF is now implemented in Keystone, so I'm closing this.
JedWatson
on 19 Jan 2015
Is there any documentation for how to configure it anywhere?
jesuscript
on 30 Jan 2015
nope. What do you want to do to it? @jesuscript https://github.com/keystonejs/keystone/blob/e4d81801cce17ab3244df0a56eb3b3dcdc3fb65c/lib/security/csrf.js
morenoh149
on 30 Jan 2015
that was quick, thanks :) I need to set up some protection for a "contact us" form. Never used csrf before, just wondering how it's done.
jesuscript
on 30 Jan 2015
csrf protection is added to list interactions https://github.com/keystonejs/keystone/blob/08aa9526b872683e6e87a60751f923436f7812c4/routes/views/list.js#L134 so it's automatic if you do things the _Keystone_ way
morenoh149
on 30 Jan 2015
great. I'm not sure I understand how to create a form the Keystone way. Any pointers?
https://github.com/JedWatson/keystone-demo/blob/master/templates/views/contact.jade - i've got something very similar
jesuscript
on 30 Jan 2015
All forms get injected with csrf related data ( @JedWatson correct me if I'm wrong). So you don't have to add anything special to a form to get csrf protection.
See https://github.com/r3dm/shpe-sfba/blob/master/templates/views/jobForm.jade#L18 produces a form that submits post data like this:
Note the cookie field in the Request Headers for the post.
morenoh149
on 30 Jan 2015
Yep, I see that. Doesn't happen for me (no XSRF cookie). I thought there was some config that needed to be switched on so I cloned the repo and searched for xsrf and csrf but nothing came up.
I'm using Keystone 0.2.42 which is the latest release I think...
jesuscript
on 30 Jan 2015
@jesuscript This is how Keystone sets up and uses csrf.
The implementation file is https://github.com/keystonejs/keystone/blob/master/lib/security/csrf.js.
In a route file you can add locals for csrf
res.locals.csrf_token_key = keystone.security.csrf.TOKEN_KEY;
res.locals.csrf_token_value = keystone.security.csrf.getToken(req, res);
res.locals.csrf_query = '&' + keystone.security.csrf.TOKEN_KEY + '=' + keystone.security.csrf.getToken(req, res);
To check for a valid csrf use
if (!keystone.security.csrf.validate(req)) {
req.flash('error', 'There was an error with your request, please try again.');
}
Then use them in jade however you like. This is from Keystone 0.2.x. Provide your own way of adding the values to the request.
var Keystone = {};
Keystone = {
csrf: function(obj) {
obj['#{csrf_token_key}'] = "#{csrf_token_value}";
return obj;
}
};
Keystone.csrf.key = "#{csrf_token_key}";
Keystone.csrf.value = "#{csrf_token_value}";
Keystone.csrf.qs = "#{csrf_query}";
snowkeeper
on 30 Jan 2015
Thanks snowkeeper! That should do it :+1:
jesuscript
on 30 Jan 2015
Related issues
sorryididntmeantto
·
3Comments
webteckie
·
5Comments
Twansparant
·
5Comments
rigalpatel001
·
5Comments
stennie
·
5Comments
Most helpful comment
@jesuscript This is how Keystone sets up and uses csrf.
The implementation file is https://github.com/keystonejs/keystone/blob/master/lib/security/csrf.js.
In a route file you can add locals for csrf
To check for a valid csrf use
Then use them in jade however you like. This is from Keystone 0.2.x. Provide your own way of adding the values to the request.