Add csrf prevention

templates/account-channels.jade

@@ -39,6 +39,7 @@ html(lang="en")
                       tr
                         th
                           form.form-inline.pull-right(action="/account/channels", method="post", onsubmit="return confirm('Are you sure you want to delete #{c.name}?  This cannot be undone');")
+                            input(type="hidden", name="_csrf", value=csrfToken)
                             input(type="hidden", name="action", value="delete_channel")
                             input(type="hidden", name="name", value="#{c.name}")
                             button.btn.btn-xs.btn-danger(type="submit") Delete
@@ -51,6 +52,7 @@ html(lang="en")
                   strong Channel Registration Failed
                   p= newChannelError
               form(action="/account/channels", method="post")
+                input(type="hidden", name="_csrf", value=csrfToken)
                 input(type="hidden", name="action", value="new_channel")
                 .form-group
                   label.control-label(for="channelname") Channel Name

templates/account-edit.jade

@@ -29,6 +29,7 @@ html(lang="en")
                   p= errorMessage
               h3 Change Password
               form(action="/account/edit", method="post", onsubmit="return validatePasswordChange()")
+                input(type="hidden", name="_csrf", value=csrfToken)
                 input(type="hidden", name="action", value="change_password")
                 .form-group
                   label.control-label(for="username") Username
@@ -46,6 +47,7 @@ html(lang="en")
               hr
               h3 Change Email
               form(action="/account/edit", method="post", onsubmit="return submitEmail()")
+                input(type="hidden", name="_csrf", value=csrfToken)
                 input(type="hidden", name="action", value="change_email")
                 .form-group
                   label.control-label(for="username2") Username

templates/account-passwordreset.jade

@@ -25,6 +25,7 @@ html(lang="en")
                 strong Error
                 p= resetErr
             form(action="/account/passwordreset", method="post", role="form")
+              input(type="hidden", name="_csrf", value=csrfToken)
               .form-group
                 label.control-label(for="username") Username
                 input#username.form-control(type="text", name="name")

templates/account-profile.jade

@@ -32,6 +32,7 @@ html(lang="en")
                 p= profileText
               h3 Edit Profile
               form(action="/account/profile", method="post", role="form")
+                input(type="hidden", name="_csrf", value=csrfToken)
                 .form-group
                   label.control-label(for="profileimage") Image
                   input#profileimage.form-control(type="text", name="image")

templates/csrferror.jade

@@ -0,0 +1,30 @@
+doctype html
+html(lang="en")
+  head
+    include head
+    mixin head()
+  body
+    #wrap
+      nav.navbar.navbar-inverse.navbar-fixed-top(role="navigation")
+        include nav
+        mixin navheader()
+        #nav-collapsible.collapse.navbar-collapse
+          ul.nav.navbar-nav
+            mixin navdefaultlinks(path)
+          mixin navloginlogout(path)
+
+      section#mainpage.container
+        .col-md-12
+          .alert.alert-danger
+            h1 Invalid Session
+            p Your browser attempted to submit form data to <code>#{path}</code> with an invalid authentication token.  This may be because:
+              ul
+                li Your session has expired
+                li Your request was missing the authentication token
+                li A malicious user has attempted to tamper with your session
+                li Your browser does not support cookies, or they are not enabled
+              | If the problem persists, please contact an administrator.
+            a(href=path) Return to previous page
+
+    include footer
+    mixin footer()

templates/login.jade

@@ -26,6 +26,7 @@ html(lang="en")
                 p= loginError
             h2 Login
             form(role="form", action="/login", method="post")
+              input(type="hidden", name="_csrf", value=csrfToken)
               if redirect
                 input(type="hidden", name="dest", value=redirect)
               .form-group

templates/nav.jade

@@ -47,7 +47,8 @@ mixin navloginform(redirect)
     - loginDomain = ""
   .visible-lg
     form#loginform.navbar-form.navbar-right(action="#{loginDomain}/login", method="post")
-      input(type="hidden", name="dest", value=redirect)
+      input(type="hidden", name="_csrf", value=csrfToken)
+      input(type="hidden", name="dest", value=encodeURIComponent(redirect))
       .form-group
         input#username.form-control(type="text", name="name", placeholder="Username")
       .form-group
@@ -60,7 +61,7 @@ mixin navloginform(redirect)
       button#login.btn.btn-default(type="submit") Login
   .visible-md
     p#loginform.navbar-text.pull-right
-      a#login.navbar-link(href="#{loginDomain}/login?dest=#{redirect}") Log in
+      a#login.navbar-link(href="#{loginDomain}/login?dest=#{encodeURIComponent(redirect)}") Log in
       span  · 
       a#register.navbar-link(href="/register") Register
 
@@ -69,4 +70,4 @@ mixin navlogoutform(redirect)
   p#logoutform.navbar-text.pull-right
     span#welcome Welcome, #{loginName}
     span  · 
-    a#logout.navbar-link(href="/logout?dest=#{redirect}") Logout
+    a#logout.navbar-link(href="/logout?dest=#{encodeURIComponent(redirect)}&_csrf=#{csrfToken}") Logout

templates/register.jade

@@ -29,6 +29,7 @@ html(lang="en")
                 p= registerError
             h2 Register
             form(role="form", action="/register", method="post", onsubmit="return verify()")
+              input(type="hidden", name="_csrf", value=csrfToken)
               .form-group
                 label.control-label(for="username") Username
                 input#username.form-control(type="text", name="name")