Added node modules

node_modules/connect/lib/middleware/csrf.js

@@ -0,0 +1,105 @@
+
+/*!
+ * Connect - csrf
+ * Copyright(c) 2011 Sencha Inc.
+ * MIT Licensed
+ */
+
+/**
+ * Module dependencies.
+ */
+
+var utils = require('../utils')
+  , crypto = require('crypto');
+
+/**
+ * CRSF protection middleware.
+ *
+ * By default this middleware generates a token named "_csrf"
+ * which should be added to requests which mutate
+ * state, within a hidden form field, query-string etc. This
+ * token is validated against the visitor's `req.session._csrf`
+ * property which is re-generated per request.
+ *
+ * The default `value` function checks `req.body` generated
+ * by the `bodyParser()` middleware, `req.query` generated
+ * by `query()`, and the "X-CSRF-Token" header field.
+ *
+ * This middleware requires session support, thus should be added
+ * somewhere _below_ `session()` and `cookieParser()`.
+ *
+ * Examples:
+ *
+ *      var form = '\n\
+ *        <form action="/" method="post">\n\
+ *          <input type="hidden" name="_csrf" value="{token}" />\n\
+ *          <input type="text" name="user[name]" value="{user}" />\n\
+ *          <input type="password" name="user[pass]" />\n\
+ *          <input type="submit" value="Login" />\n\
+ *        </form>\n\
+ *      '; 
+ *      
+ *      connect(
+ *          connect.cookieParser()
+ *        , connect.session({ secret: 'keyboard cat' })
+ *        , connect.bodyParser()
+ *        , connect.csrf()
+ *      
+ *        , function(req, res, next){
+ *          if ('POST' != req.method) return next();
+ *          req.session.user = req.body.user;
+ *          next();
+ *        }
+ *      
+ *        , function(req, res){
+ *          res.setHeader('Content-Type', 'text/html');
+ *          var body = form
+ *            .replace('{token}', req.session._csrf)
+ *            .replace('{user}', req.session.user && req.session.user.name || '');
+ *          res.end(body);
+ *        }
+ *      ).listen(3000);
+ *
+ * Options:
+ *
+ *    - `value` a function accepting the request, returning the token 
+ *
+ * @param {Object} options
+ * @api public
+ */
+
+module.exports = function csrf(options) {
+  var options = options || {}
+    , value = options.value || defaultValue;
+
+  return function(req, res, next){
+    // generate CSRF token
+    var token = req.session._csrf || (req.session._csrf = utils.uid(24));
+
+    // ignore GET (for now)
+    if ('GET' == req.method) return next();
+
+    // determine value
+    var val = value(req);
+
+    // check
+    if (val != token) return utils.forbidden(res);
+    
+    next();
+  }
+};
+
+/**
+ * Default value function, checking the `req.body`
+ * and `req.query` for the CSRF token.
+ *
+ * @param {IncomingMessage} req
+ * @return {String}
+ * @api private
+ */
+
+function defaultValue(req) {
+  return (req.body && req.body._csrf)
+    || (req.query && req.query._csrf)
+    || (req.headers['x-csrf-token']);
+}