9 лет назад · a41a944cfd
--- a/lib/crowi/express-init.js
+++ b/lib/crowi/express-init.js
@@ -30,6 +30,7 @@ module.exports = function(crowi, app) {
 
				     app.set('tzoffset', tzoffset);
			
 
				 
			
 
				     req.config = config;
			
 
				+    req.csrfToken = null;
			
 
				 
			
 
				     config.crowi['app:url'] = baseUrl = (req.headers['x-forwarded-proto'] == 'https' ? 'https' : req.protocol) + '://' + req.get('host');
			
 
				 
			
--- a/lib/crowi/index.js
+++ b/lib/crowi/index.js
@@ -32,8 +32,6 @@ function Crowi (rootdir, env)
 
				   this.mailer = {};
			
 
				 
			
 
				   this.tokens = null;
			
 
				-  this.csrfToken = null;
			
 
				-  this.csrfSecret = null;
			
 
				 
			
 
				   this.models = {};
			
 
				 
			
@@ -251,9 +249,6 @@ Crowi.prototype.setupCsrf = function() {
 
				   var Tokens = require('csrf');
			
 
				   var tokens = this.tokens = new Tokens();
			
 
				 
			
 
				-  this.csrfSecret = tokens.secretSync();
			
 
				-  this.csrfToken = tokens.create(this.csrfSecret);
			
 
				-
			
 
				   return Promise.resolve();
			
 
				 };
			
 
				 
			
@@ -261,14 +256,6 @@ Crowi.prototype.getTokens = function() {
 
				   return this.tokens;
			
 
				 };
			
 
				 
			
 
				-Crowi.prototype.getCsrfSecret = function() {
			
 
				-  return this.csrfSecret;
			
 
				-};
			
 
				-
			
 
				-Crowi.prototype.getCsrfToken = function() {
			
 
				-  return this.csrfToken;
			
 
				-};
			
 
				-
			
 
				 Crowi.prototype.start = function() {
			
 
				   var self = this
			
 
				     , http = require('http')
			
--- a/lib/routes/login.js
+++ b/lib/routes/login.js
@@ -76,6 +76,9 @@ module.exports = function(crowi, app) {
 
				         }
			
 
				       });
			
 
				     } else { // method GET
			
 
				+      if (req.form) {
			
 
				+        debug(req.form.errors);
			
 
				+      }
			
 
				       return res.render('login', {
			
 
				       });
			
 
				     }
			
--- a/lib/util/middlewares.js
+++ b/lib/util/middlewares.js
@@ -3,6 +3,12 @@ var debug = require('debug')('crowi:lib:middlewares');
 
				 exports.loginChecker = function(crowi, app) {
			
 
				   return function(req, res, next) {
			
 
				     var User = crowi.model('User');
			
 
				+    var csrfKey = (req.session && req.session.id) || 'anon';
			
 
				+
			
 
				+    if (req.csrfToken === null) {
			
 
				+      debug('csrfKey', csrfKey);
			
 
				+      req.csrfToken = crowi.getTokens().create(csrfKey);
			
 
				+    }
			
 
				 
			
 
				     // session に user object が入ってる
			
 
				     if (req.session.user && '_id' in req.session.user) {
			
@@ -26,11 +32,13 @@ exports.loginChecker = function(crowi, app) {
 
				 exports.csrfVerify = function(crowi, app) {
			
 
				   return function(req, res, next) {
			
 
				     var token = req.body._csrf || req.query._csrf || null;
			
 
				+    var csrfKey = (req.session && req.session.id) || 'anon';
			
 
				+
			
 
				     if (req.skipCsrfVerify) {
			
 
				       return next();
			
 
				     }
			
 
				 
			
 
				-    if (crowi.getTokens().verify(crowi.getCsrfSecret(), token)) {
			
 
				+    if (crowi.getTokens().verify(csrfKey, token)) {
			
 
				       return next();
			
 
				     }
			
 
				 
			
--- a/lib/util/swigFunctions.js
+++ b/lib/util/swigFunctions.js
@@ -7,7 +7,8 @@ module.exports = function(crowi, app, req, locals) {
 
				 
			
 
				   // token getter
			
 
				   locals._csrf = function() {
			
 
				-    return crowi.getCsrfToken();
			
 
				+    debug('csrfToken get', req.csrfToken);
			
 
				+    return req.csrfToken;
			
 
				   };
			
 
				 
			
 
				   locals.facebookLoginEnabled = function() {