Feat: ajout token csrf

BaptisteBuvron · Jun 15, 2023 · d0319cd · d0319cd
1 parent 14e2a64
commit d0319cd
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 12 deletions.
diff --git a/app/controllers/HomeController.ts b/app/controllers/HomeController.ts
@@ -6,6 +6,7 @@ import {OffreDePoste} from "../entity/OffreDePoste";
 import {UserRepository} from "../repository/UserRepository";
 import {Alert} from "../utils/Alert";
 import {FicheDePosteRepository} from "../repository/FicheDePosteRepository";
+
 const {loggedInNoRedirection} = require("../passport/passportFunctions");
 
 
@@ -35,7 +36,7 @@ export class HomeController {
         const alerts: Alert[] = [];
         if (req.method === "POST") {
             let siren = req.body.siren;
-            let mail = "[email protected]"; //TO DO get mail from session variable
+            let mail = req.user.email//TO DO get mail from session variable
             if (req.body.siege) {
                 let organisation: Organisation = new Organisation(
                     req.body.siren,

diff --git a/app/controllers/OfferController.ts b/app/controllers/OfferController.ts
@@ -5,6 +5,7 @@ import {OfferRepository} from "../repository/OfferRepository";
 import {FicheDePoste} from "../entity/FicheDePoste";
 import {Alert} from "../utils/Alert";
 import {loggedInNoRedirection} from "../passport/passportFunctions";
+import {csrfValidation} from "../utils/Security";
 
 export class OfferController {
 
@@ -15,6 +16,12 @@ export class OfferController {
         console.log(req.method);
 
         if (req.method === "POST") {
+
+            let csrfToken = req.body._csrf;
+            if (!csrfValidation(req, csrfToken)) {
+                alerts.push(new Alert("danger", "Erreur CSRF"));
+                return res.redirect("/logout");
+            }
             //TODO validation data
             let listePiece: string = "";
             let nbPiece: number = 0;
@@ -64,10 +71,9 @@ export class OfferController {
                 title: "Créer une offre",
                 ficheDePostes: ficheDePostes,
                 alerts: alerts,
-                user: loggedInNoRedirection(req, res)
+                user: loggedInNoRedirection(req, res),
+                csrfToken: req.session.csrfSecret
             });
         });
-
-
     }
 }
diff --git a/app/middlewares/CSRFMiddlewares.ts b/app/middlewares/CSRFMiddlewares.ts
@@ -0,0 +1,12 @@
+import {randomBytes} from 'crypto';
+import {loggedInNoRedirection} from "../passport/passportFunctions";
+
+export function createCSRFToken(req: any, res: any, next: any) {
+    if (loggedInNoRedirection(req, res)) {
+        if (req.session.csrfSecret === undefined) {
+            req.session.csrfSecret = randomBytes(64).toString("hex");
+            console.log("2. in createCSRFToken req.sessionID: ", req.sessionID);
+        }
+    }
+    next();
+}
diff --git a/app/routes/MainRouter.ts b/app/routes/MainRouter.ts
@@ -1,5 +1,6 @@
 import {Router} from "express";
 import {HomeController} from "../controllers/HomeController";
+import {createCSRFToken} from "../middlewares/CSRFMiddlewares";
 
 const { v4: uuidv4 } = require("uuid");
 const session = require("express-session");
@@ -25,6 +26,7 @@ defaultRouter.use(
 );
 defaultRouter.use(passport.initialize());
 defaultRouter.use(passport.session());
+defaultRouter.use(createCSRFToken)
 
 defaultRouter.get("/", HomeController.index);
 defaultRouter.get("/login", HomeController.login);

diff --git a/app/routes/RecruterRouter.ts b/app/routes/RecruterRouter.ts
@@ -5,4 +5,3 @@ export const recruterRouter = express.Router();
 
 recruterRouter.get("/", RecruteurController.index);
 recruterRouter.get("/candidatures", RecruteurController.candidatures);
-
diff --git a/app/types/index.d.ts b/app/types/index.d.ts
@@ -1,10 +1,14 @@
+import {User} from "../entity/User";
+
 export {};
 
 declare global {
     namespace Express {
         interface Request {
             logout: any;
             login: any;
+            session: any;
+            user: User;
         }
     }
 }
diff --git a/app/utils/Security.ts b/app/utils/Security.ts
@@ -0,0 +1,5 @@
+import {Request} from "express";
+
+export function csrfValidation(req: Request, csrfToken: string) {
+    return req.session.csrfSecret === csrfToken;
+}
diff --git a/app/views/demandeRecruteur.ejs b/app/views/demandeRecruteur.ejs
@@ -11,7 +11,7 @@
   <div class="tab-content mb-2">
     <div class="tab-pane fade show active" id="select-tab">
       <h5 class="mb-4">Choisissez l'entreprise pour laquelle vous demandez à être recruteur</h5>
-      <form class="needs-validation" action="/recruiter" method="POST">
+      <form class="needs-validation" action="/devenir-recruteur" method="POST">
         <div class="form-group row">
           <div class="input-group col-sm-8">
             <select class="form-control" id="siren" name="siren">
@@ -27,17 +27,17 @@
       </form>
     </div>
     <div class="tab-pane fade" id="input-tab">
-      <form class="needs-validation" action="/recruiter" method="POST">
+      <form class="needs-validation" action="/devenir-recruteur" method="POST">
         <div class="mb-3">
-            <label for="nom" class="form-label">Nom de l'entreprise</label>
-            <input type="text" class="form-control" id="nom" name="nom" placeholder="Nom">
+          <label for="nom" class="form-label">Nom de l'entreprise</label>
+          <input type="text" class="form-control" id="nom" name="nom" placeholder="Nom">
         </div>
         <div class="mb-3">
-            <label for="siren" class="form-label">Siren</label>
-            <input type="text" class="form-control" id="siren" name="siren" placeholder="983434688" maxlength="9">
+          <label for="siren" class="form-label">Siren</label>
+          <input type="text" class="form-control" id="siren" name="siren" placeholder="983434688" maxlength="9">
         </div>
         <div class="mb-3">
-            <label for="type" class="form-label">Type</label>
+          <label for="type" class="form-label">Type</label>
             <input type="text" class="form-control" id="type" name="type" placeholder="SARL">
         </div>
         <div class="mb-3">

diff --git a/app/views/offre/creation.ejs b/app/views/offre/creation.ejs
@@ -25,6 +25,7 @@
             <div class="card-body">
                 <h4 class="mb-3">OffreDePoste</h4>
                 <form class="needs-validation" novalidate="" action="/offre/creation" method="POST">
+                    <input type="hidden" name="_csrf" value="<%= csrfToken %>">
                     <div class="row g-3">
                         <!-- Select fiche de poste from the ficheDePostes variables-->
                         <div>