From 639d423f35fd191225126a6dc17e77c2a67c8a2b Mon Sep 17 00:00:00 2001
From: Adam Schodde <aaschodd@asu.edu>
Date: Thu, 30 Oct 2014 14:13:13 -0700
Subject: [PATCH] Updated package to express 4, oauthio 0.3.1 and added CSRF
 tokens.

---
 app.js                   | 30 +++++++++++++++++++++---------
 package.json             |  7 ++++---
 public/src/background.js |  9 +++++----
 public/src/script.js     | 28 +++++++++++++++++++++++++---
 4 files changed, 55 insertions(+), 19 deletions(-)

diff --git a/app.js b/app.js
index 2ce15da..51400d0 100644
--- a/app.js
+++ b/app.js
@@ -2,6 +2,7 @@ var express = require('express');
 var bodyParser = require('body-parser');
 var session = require('express-session');
 var cookieParser = require('cookie-parser');
+var csrf = require('csurf');
 
 /* Requiring the lib */
 
@@ -10,18 +11,29 @@ var oauth = require('oauthio');
 var app = express();
 
 app.use(express.static('public'));
-app.use(bodyParser());
+app.use(bodyParser.urlencoded({ extended: false }));
+app.use(bodyParser.json());
 app.use(cookieParser());
-app.use(session({secret: 'keyboard cat', key: 'sid'}));
+app.use(session({
+    secret: 'keyboard cat',
+    resave: true,
+    saveUninitialized: false
+}));
+app.use(csrf());
+app.use(function(req, res, next) {
+  res.cookie('XSRF-TOKEN', req.csrfToken());
+  res.locals.csrftoken = req.csrfToken();
+  next();
+});
 
 /* Initialization */
 try {
-	var config = require('./config');	
+	var config = require('./config');
 } catch (e) {
 	// Create a config.js file returning an object like the following if you haven't done it yet
 	var config = {
-		key: 'your_key',
-		secret: 'your_secret'
+		key: '',
+		secret: ''
 	};
 }
 
@@ -44,15 +56,15 @@ app.post('/oauth/signin', function (req, res) {
 		code: code
 	})
 	.then(function (request_object) {
-		// Here the user is authenticated, and the access token 
+		// Here the user is authenticated, and the access token
 		// for the requested provider is stored in the session.
 		// Continue the tutorial or checkout the step-4 to get
 		// the code for the request
-		res.send(200, 'The user is authenticated');
+		res.status(200).send('The user is authenticated');
 	})
 	.fail(function (e) {
 		console.log(e);
-		res.send(400, 'Code is incorrect');
+		res.status(400).send('Code is incorrect');
 	});
 });
 
@@ -72,7 +84,7 @@ app.get('/me', function (req, res) {
 	})
 	.fail(function (e) {
 		console.log(e);
-		res.send(400, 'An error occured');
+		res.status(400).send('An error occured');
 	});
 });
 
diff --git a/package.json b/package.json
index 281482f..e419876 100644
--- a/package.json
+++ b/package.json
@@ -9,10 +9,11 @@
   "author": "oauth.io",
   "license": "Apache2",
   "dependencies": {
-    "express": "^4.1.2",
-    "oauthio": "^0.1.0",
+    "body-parser": "^1.0.2",
     "cookie-parser": "^1.0.1",
+    "csurf": "^1.6.2",
+    "express": "^4.1.2",
     "express-session": "^1.0.4",
-    "body-parser": "^1.0.2"
+    "oauthio": "^0.3.1"
   }
 }
diff --git a/public/src/background.js b/public/src/background.js
index 66fb322..031c427 100644
--- a/public/src/background.js
+++ b/public/src/background.js
@@ -5,11 +5,12 @@ function available(elt) {
 	$('.' + elt + '_endpoint_available').show();
 }
 
+/*
 $.ajax({
 	url: '/oauth/token',
 	success: function () {
 		available('token');
-	},	
+	},
 	error: function (r) {
 		if (r.status !== 404) {
 			available('token');
@@ -22,7 +23,7 @@ $.ajax({
 	method: 'POST',
 	success: function () {
 		available('auth');
-	},	
+	},
 	error: function (r) {
 		if (r.status !== 404) {
 			available('auth');
@@ -34,10 +35,10 @@ $.ajax({
 	url: '/me',
 	success: function () {
 		available('request');
-	},	
+	},
 	error: function (r) {
 		if (r.status !== 404) {
 			available('request');
 		}
 	}
-});
\ No newline at end of file
+});*/
\ No newline at end of file
diff --git a/public/src/script.js b/public/src/script.js
index c1629d0..9152739 100644
--- a/public/src/script.js
+++ b/public/src/script.js
@@ -17,13 +17,35 @@ function retrieve_token(callback) {
 function authenticate(token, callback) {
 	OAuth.popup('google', {
 		state: token,
-		// Google requires the following field 
+		// Google requires the following field
 		// to get a refresh token
 		authorize: {
 		    approval_prompt: 'force'
 		}
-	})
-		.done(function(r) {
+	}).done(function(r) {
+		$.ajaxSetup({
+	     beforeSend: function(xhr, settings) {
+	         function getCookie(name) {
+	             var cookieValue = null;
+	             if (document.cookie && document.cookie != '') {
+	                 var cookies = document.cookie.split(';');
+	                 for (var i = 0; i < cookies.length; i++) {
+	                     var cookie = jQuery.trim(cookies[i]);
+	                     // Does this cookie string begin with the name we want?
+	                 if (cookie.substring(0, name.length + 1) == (name + '=')) {
+	                     cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+	                     break;
+	                 }
+	             }
+	         }
+	         return cookieValue;
+	         }
+	         if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
+	             // Only send the token to relative URLs i.e. locally.
+	             xhr.setRequestHeader("x-csrf-token", getCookie('XSRF-TOKEN'));
+	         }
+	     }
+	});
 			$.ajax({
 				url: '/oauth/signin',
 				method: 'POST',