commit

app.js

@@ -14,8 +14,9 @@ app.use(logger('dev'))
 app.use(express.json())
 app.use(cors({ origin: true, credentials: true }))
 app.use(express.urlencoded({ extended: false }))
-app.use(cookieParser('asdfa7a56sdf586aasdf'))
-// app.use(csrf("XwHsY7X1spE#pdhgdGe9G$Cw&mF7n8=$", ['POST', 'PUT', 'DELETE'], ['/v1/auth/login', /\/v1\/auto\//i]))
+app.use(cookieParser(process.env.SRU51))
+app.use(csrf( ['GET', 'HEAD', 'OPTIONS'], ['/v1/auth/login', /\/v1\/auto\//i]))
+
 app.use(express.static(path.join(__dirname, 'public')))
 
 app.get('/', (req, res) => {
@@ -31,4 +32,12 @@ app.use((req, res) =>
   response.error(res, { code: 404, message: 'request not found' })
 )
 
+app.use((err, req, res, next) => {
+  if (err.code === 'EBADCSRFTOKEN') {
+    response.error(res, { code: 403, message: 'invalid csrf token' })
+  } else {
+    response.error(res, { code: err.code || 500, message: err.message })
+  }
+})
+
 module.exports = app

package.json

@@ -13,7 +13,6 @@
     "child-process": "^1.0.2",
     "cookie-parser": "~1.4.4",
     "cors": "^2.8.5",
-    "crypto": "^1.0.1",
     "cryptr": "^6.2.0",
     "csrf-csrf": "^2.3.0",
     "debug": "~2.6.9",