Fixes #500 removes CSRF token setting in cookie and validation on request (#501)

2018-01-08 13:12:55 -08:00 · 2018-01-08 13:12:55 -08:00 · 2f29d6add1
commit 2f29d6add1
parent b45e53483f
1 changed files with 2 additions and 20 deletions
--- a/server/server.js
+++ b/server/server.js
@ -7,7 +7,6 @@ import session from 'express-session';
 import connectMongo from 'connect-mongo';
 import passport from 'passport';
 import path from 'path';
-import csurf from 'csurf';

 // Webpack Requirements
 import webpack from 'webpack';
@ -79,14 +78,6 @@ app.use(session({
  })
 }));

-// Enables CSRF protection and stores secret in session
-app.use(csurf());
-// Middleware to add CSRF token as cookie to some requests
-const csrfToken = (req, res, next) => {
-  res.cookie('XSRF-TOKEN', req.csrfToken());
-  next();
-};
-
 app.use(passport.initialize());
 app.use(passport.session());
 app.use('/api', requestsOfTypeJSON(), users);
@ -97,9 +88,9 @@ app.use('/api', requestsOfTypeJSON(), aws);
 app.use(assetRoutes);
 // this is supposed to be TEMPORARY -- until i figure out
 // isomorphic rendering
-app.use('/', csrfToken, serverRoutes);
+app.use('/', serverRoutes);

-app.use('/', csrfToken, embedRoutes);
+app.use('/', embedRoutes);
 app.get('/auth/github', passport.authenticate('github'));
 app.get('/auth/github/callback', passport.authenticate('github', { failureRedirect: '/login' }), (req, res) => {
  res.redirect('/');
@ -135,15 +126,6 @@ app.get('*', (req, res) => {
  res.type('txt').send('Not found.');
 });

-// error handler
-app.use((err, req, res, next) => {
-  if (err.code !== 'EBADCSRFTOKEN') return next(err);
-
-  console.error('Invalid CSRF Token.');
-  console.error(req.url);
-  return next(err);
-});
-
 // start app
 app.listen(serverConfig.port, (error) => {
  if (!error) {