menu

SFRA / Server-side JS / Source: app_storefront_base/cartridge/scripts/middleware/csrf.js

'use strict';

var csrfProtection = require('dw/web/CSRFProtection');
var CustomerMgr = require('dw/customer/CustomerMgr');
var URLUtils = require('dw/web/URLUtils');

/**
 * Middleware validating CSRF token
 * @param {Object} req - Request object
 * @param {Object} res - Response object
 * @param {Function} next - Next call in the middleware chain
 * @returns {void}
 */
function validateRequest(req, res, next) {
    if (!csrfProtection.validateRequest()) {
        CustomerMgr.logoutCustomer(false);
        res.redirect(URLUtils.url('CSRF-Fail'));
    }

    next();
}

/**
 * Middleware validating CSRF token from ajax request
 * @param {Object} req - Request object
 * @param {Object} res - Response object
 * @param {Function} next - Next call in the middleware chain
 * @returns {void}
 */
function validateAjaxRequest(req, res, next) {
    if (!csrfProtection.validateRequest()) {
        CustomerMgr.logoutCustomer(false);
        res.redirect(URLUtils.url('CSRF-AjaxFail'));
    }

    next();
}

/**
 * Middleware generating a csrf token and setting the view data
 * @param {Object} req - Request object
 * @param {Object} res - Response object
 * @param {Function} next - Next call in the middleware chain
 * @returns {void}
 */
function generateToken(req, res, next) {
    res.setViewData({ csrf: {
        tokenName: csrfProtection.getTokenName(), token: csrfProtection.generateToken() } });

    next();
}

module.exports = {
    validateRequest: validateRequest,
    validateAjaxRequest: validateAjaxRequest,
    generateToken: generateToken
};