Merge pull request #2964 from mozilla/MNTOR-1166

MNTOR-1166: Moving csrf to routing index
This commit is contained in:
mansaj 2023-04-03 12:09:06 -07:00 коммит произвёл GitHub
Родитель a4b6b382fd d2c7a51244
Коммит 361f457c5c
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
2 изменённых файлов: 8 добавлений и 9 удалений

Просмотреть файл

@ -18,7 +18,6 @@ import '@sentry/tracing'
import AppConstants from './app-constants.js' import AppConstants from './app-constants.js'
import { localStorage } from './utils/local-storage.js' import { localStorage } from './utils/local-storage.js'
import { errorHandler } from './middleware/error.js' import { errorHandler } from './middleware/error.js'
import { doubleCsrfProtection } from './utils/csrf.js'
import { initFluentBundles, updateLocale, getMessageWithLocale, getMessage } from './utils/fluent.js' import { initFluentBundles, updateLocale, getMessageWithLocale, getMessage } from './utils/fluent.js'
import { loadBreachesIntoApp } from './utils/hibp.js' import { loadBreachesIntoApp } from './utils/hibp.js'
import { RateLimitError } from './utils/error.js' import { RateLimitError } from './utils/error.js'
@ -175,7 +174,6 @@ app.use(noSearchEngineIndex)
app.use(express.static(staticPath)) app.use(express.static(staticPath))
app.use(express.json()) app.use(express.json())
app.use(cookieParser(AppConstants.COOKIE_SECRET)) app.use(cookieParser(AppConstants.COOKIE_SECRET))
app.use(doubleCsrfProtection)
const apiLimiter = rateLimit({ const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes windowMs: 15 * 60 * 1000, // 15 minutes

Просмотреть файл

@ -19,20 +19,21 @@ import { dialog } from '../controllers/dialog.js'
import { landingPage } from '../controllers/landing.js' import { landingPage } from '../controllers/landing.js'
import { notFoundPage } from '../controllers/notFound.js' import { notFoundPage } from '../controllers/notFound.js'
import { notFound } from '../middleware/error.js' import { notFound } from '../middleware/error.js'
import { doubleCsrfProtection } from '../utils/csrf.js'
const router = express.Router() const router = express.Router()
router.get('/', landingPage) router.get('/', landingPage)
router.get('*/dialog/:name', dialog) router.get('*/dialog/:name', dialog)
router.use('/', dockerFlowRoutes) router.use('/admin', doubleCsrfProtection, adminRoutes)
router.use('/admin', adminRoutes)
router.use('/api/v1/hibp/', hibpApiRoutes) router.use('/api/v1/hibp/', hibpApiRoutes)
router.use('/api/v1/user/', userApiRoutes) router.use('/api/v1/user/', doubleCsrfProtection, userApiRoutes)
router.use('/oauth', authRoutes) router.use('/oauth', doubleCsrfProtection, authRoutes)
router.use('/user', userRoutes) router.use('/user', doubleCsrfProtection, userRoutes)
router.use('/breaches', breachesRoutes) router.use('/breaches', doubleCsrfProtection, breachesRoutes)
router.use('/breach-details', breachDetailsRoutes) router.use('/breach-details', doubleCsrfProtection, breachDetailsRoutes)
router.use('/', doubleCsrfProtection, dockerFlowRoutes)
// Do not make the non-auth previews available on prod // Do not make the non-auth previews available on prod
if (AppConstants.NODE_ENV !== 'production') { if (AppConstants.NODE_ENV !== 'production') {