diff --git a/core/server/middleware/index.js b/core/server/middleware/index.js
index 08474bb9f7..3f492db957 100644
--- a/core/server/middleware/index.js
+++ b/core/server/middleware/index.js
@@ -28,11 +28,11 @@ function ghostLocals(req, res, next) {
res.locals = res.locals || {};
res.locals.version = packageInfo.version;
res.locals.path = req.path;
- res.locals.csrfToken = req.csrfToken();
// Strip off the subdir part of the path
res.locals.ghostRoot = req.path.replace(ghost.blogGlobals().path.replace(/\/$/, ''), '');
if (res.isAdmin) {
+ res.locals.csrfToken = req.csrfToken();
api.users.read({id: req.session.user}).then(function (currentUser) {
_.extend(res.locals, {
currentUser: {
@@ -187,11 +187,11 @@ module.exports = function (server) {
server.use(express.session({
store: new BSStore(ghost.dataProvider),
secret: ghost.dbHash,
- cookie: { maxAge: 12 * 60 * 60 * 1000 }
+ cookie: { path: '/ghost', maxAge: 12 * 60 * 60 * 1000 }
}));
//enable express csrf protection
- server.use(express.csrf());
+ server.use(middleware.conditionalCSRF);
// local data
server.use(ghostLocals);
// So on every request we actually clean out reduntant passive notifications from the server side
diff --git a/core/server/middleware/middleware.js b/core/server/middleware/middleware.js
index 3f2e7a7d4e..f01ad2abec 100644
--- a/core/server/middleware/middleware.js
+++ b/core/server/middleware/middleware.js
@@ -120,6 +120,16 @@ var middleware = {
// to allow unit testing
forwardToExpressStatic: function (req, res, next) {
return express['static'](config.paths().activeTheme)(req, res, next);
+ },
+
+ conditionalCSRF: function (req, res, next) {
+ var csrf = express.csrf();
+ // CSRF is needed for admin only
+ if (res.isAdmin) {
+ csrf(req, res, next);
+ return;
+ }
+ next();
}
};
diff --git a/core/server/routes/admin.js b/core/server/routes/admin.js
index b53be0e7b0..2f07c52a61 100644
--- a/core/server/routes/admin.js
+++ b/core/server/routes/admin.js
@@ -24,15 +24,28 @@ module.exports = function (server) {
var root = server.get('ghost root').replace(/\/$/, '');
// ### Admin routes
/* TODO: put these somewhere in admin */
- server.get(/logout/, function redirect(req, res) {
+ server.get('/logout/', function redirect(req, res) {
/*jslint unparam:true*/
- res.redirect(301, root + '/signout/');
+ res.redirect(301, root + '/ghost/signout/');
+ });
+ server.get('/signout/', function redirect(req, res) {
+ /*jslint unparam:true*/
+ res.redirect(301, root + '/ghost/signout/');
+ });
+ server.get('/signin/', function redirect(req, res) {
+ /*jslint unparam:true*/
+ res.redirect(301, root + '/ghost/signin/');
+ });
+ server.get('/signup/', function redirect(req, res) {
+ /*jslint unparam:true*/
+ res.redirect(301, root + '/ghost/signup/');
});
- server.get(/signout/, admin.logout);
server.get('/ghost/login/', function redirect(req, res) {
/*jslint unparam:true*/
res.redirect(301, root + '/ghost/signin/');
});
+
+ server.get('/ghost/signout/', admin.logout);
server.get('/ghost/signin/', redirectToSignup, middleware.redirectToDashboard, admin.login);
server.get('/ghost/signup/', middleware.redirectToDashboard, admin.signup);
server.get('/ghost/forgotten/', middleware.redirectToDashboard, admin.forgotten);
diff --git a/core/server/views/partials/navbar.hbs b/core/server/views/partials/navbar.hbs
index 86239c95aa..229ba36d13 100644
--- a/core/server/views/partials/navbar.hbs
+++ b/core/server/views/partials/navbar.hbs
@@ -16,7 +16,7 @@
-
+
diff --git a/core/test/functional/base.js b/core/test/functional/base.js
index 02030919b8..029f1f5cc2 100644
--- a/core/test/functional/base.js
+++ b/core/test/functional/base.js
@@ -95,7 +95,7 @@ var CasperTest = (function () {
casper.test.tearDown(function (done) {
casper.then(_beforeDoneHandler);
- casper.thenOpen(url + 'signout/');
+ casper.thenOpen(url + 'ghost\/signout/');
casper.waitForResource(/ghost\/sign/);
@@ -189,7 +189,7 @@ CasperTest.Routines = (function () {
}
function logout(test) {
- casper.thenOpen(url + 'signout/');
+ casper.thenOpen(url + 'ghost\/signout/');
// Wait for signin or signup
casper.waitForResource(/ghost\/sign/);
}