Combine CORS and CSRF into new "security" hook

Also streamlines CSRF settings: * Makes the former `/csrfToken` route into an action for the user to bind themselves * Supports `csrf: true` and `csrf: false` on a per-route basis instead of the `routesDisabled` list * No longer supports CSRF-specific CORS settings
balderdashy · Oct 20, 2016 · 7328c05 · 7328c05
1 parent 9ce56ff
commit 7328c05
Show file tree

Hide file tree

Showing 14 changed files with 573 additions and 935 deletions.
diff --git a/lib/app/configuration/default-hooks.js b/lib/app/configuration/default-hooks.js
@@ -20,8 +20,7 @@ module.exports = {
   'pubsub': true,
   'policies': true,
   'services': true,
-  'csrf': true,
-  'cors': true,
+  'security': true,
   'i18n': true,
   'userconfig': true,
   'session': true,

diff --git a/lib/hooks/cors/clear-headers.js b/lib/hooks/cors/clear-headers.js
diff --git a/lib/hooks/cors/index.js b/lib/hooks/cors/index.js