@@ -541,6 +541,13 @@ class API {
541541 this . storage . get ( 'sessions/' + session_id , function ( err , session ) {
542542 if ( err ) return callback ( err , null , null ) ;
543543
544+ // csrf check
545+ var csrf_token = args . request . headers [ 'x-csrf-token' ] || args . params . csrf_token || null ;
546+ if ( self . usermgr . config . get ( 'use_csrf' ) && ! args . request . method . match ( / ^ ( G E T | H E A D ) $ / ) && session . csrf_token && ( csrf_token != session . csrf_token ) ) {
547+ self . logError ( 'user' , "Failed to validate session: Invalid CSRF Token" , { username : session . username , ips : args . ips } ) ;
548+ return callback ( new Error ( "Invalid session" ) , null , null ) ;
549+ }
550+
544551 // also load user
545552 self . storage . get ( 'users/' + self . usermgr . normalizeUsername ( session . username ) , function ( err , user ) {
546553 if ( err ) return callback ( err , null , null ) ;
@@ -554,6 +561,10 @@ class API {
554561 delete args . request . headers [ 'x-session-id' ] ;
555562 delete args . request . headers [ 'cookie' ] ;
556563
564+ // cleanup csrf token mess as well
565+ delete args . params . csrf_token ;
566+ delete args . request . headers [ 'x-csrf-token' ] ;
567+
557568 // pass both session and user to callback
558569 callback ( null , session , user ) ;
559570 } ) ;
0 commit comments