Remove cookie from Frontend

closes #1437
closes #1472

- changed cookie to path:'/ghost'
- added conditional CSRF middleware
- added redirects for signup, signin, signout to /ghost/sign*/

core/server/middleware/index.js

@@ -28,11 +28,11 @@ function ghostLocals(req, res, next) {
     res.locals = res.locals || {};
     res.locals.version = packageInfo.version;
     res.locals.path = req.path;
-    res.locals.csrfToken = req.csrfToken();
     // Strip off the subdir part of the path
     res.locals.ghostRoot = req.path.replace(ghost.blogGlobals().path.replace(/\/$/, ''), '');
 
     if (res.isAdmin) {
+        res.locals.csrfToken = req.csrfToken();
         api.users.read({id: req.session.user}).then(function (currentUser) {
             _.extend(res.locals,  {
                 currentUser: {
@@ -187,11 +187,11 @@ module.exports = function (server) {
     server.use(express.session({
         store: new BSStore(ghost.dataProvider),
         secret: ghost.dbHash,
-        cookie: { maxAge: 12 * 60 * 60 * 1000 }
+        cookie: { path: '/ghost', maxAge: 12 * 60 * 60 * 1000 }
     }));
 
     //enable express csrf protection
-    server.use(express.csrf());
+    server.use(middleware.conditionalCSRF);
     // local data
     server.use(ghostLocals);
     // So on every request we actually clean out reduntant passive notifications from the server side

core/server/middleware/middleware.js

@@ -120,6 +120,16 @@ var middleware = {
     // to allow unit testing
     forwardToExpressStatic: function (req, res, next) {
         return express['static'](config.paths().activeTheme)(req, res, next);
+    },
+
+    conditionalCSRF: function (req, res, next) {
+        var csrf = express.csrf();
+        // CSRF is needed for admin only
+        if (res.isAdmin) {
+            csrf(req, res, next);
+            return;
+        }
+        next();
     }
 };
 

core/server/routes/admin.js

@@ -24,15 +24,28 @@ module.exports = function (server) {
     var root = server.get('ghost root').replace(/\/$/, '');
     // ### Admin routes
     /* TODO: put these somewhere in admin */
-    server.get(/logout/, function redirect(req, res) {
+    server.get('/logout/', function redirect(req, res) {
         /*jslint unparam:true*/
-        res.redirect(301, root + '/signout/');
+        res.redirect(301, root + '/ghost/signout/');
+    });
+    server.get('/signout/', function redirect(req, res) {
+        /*jslint unparam:true*/
+        res.redirect(301, root + '/ghost/signout/');
+    });
+    server.get('/signin/', function redirect(req, res) {
+        /*jslint unparam:true*/
+        res.redirect(301, root + '/ghost/signin/');
+    });
+    server.get('/signup/', function redirect(req, res) {
+        /*jslint unparam:true*/
+        res.redirect(301, root + '/ghost/signup/');
     });
-    server.get(/signout/, admin.logout);
     server.get('/ghost/login/', function redirect(req, res) {
         /*jslint unparam:true*/
         res.redirect(301, root + '/ghost/signin/');
     });
+
+    server.get('/ghost/signout/', admin.logout);
     server.get('/ghost/signin/', redirectToSignup, middleware.redirectToDashboard, admin.login);
     server.get('/ghost/signup/', middleware.redirectToDashboard, admin.signup);
     server.get('/ghost/forgotten/', middleware.redirectToDashboard, admin.forgotten);

core/server/views/partials/navbar.hbs

@@ -16,7 +16,7 @@
                     <li class="divider"></li>
                     <li class="usermenu-help"><a href="http://ghost.org/forum/">Help / Support</a></li>
                     <li class="divider"></li>
-                    <li class="usermenu-signout"><a href="/signout/">Sign Out</a></li>
+                    <li class="usermenu-signout"><a href="/ghost/signout/">Sign Out</a></li>
                 </ul>
             </li>
         </ul>

core/test/functional/base.js

@@ -95,7 +95,7 @@ var CasperTest = (function () {
     casper.test.tearDown(function (done) {
         casper.then(_beforeDoneHandler);
 
-        casper.thenOpen(url + 'signout/');
+        casper.thenOpen(url + 'ghost\/signout/');
 
         casper.waitForResource(/ghost\/sign/);
 
@@ -189,7 +189,7 @@ CasperTest.Routines = (function () {
     }
 
     function logout(test) {
-        casper.thenOpen(url + 'signout/');
+        casper.thenOpen(url + 'ghost\/signout/');
         // Wait for signin or signup
         casper.waitForResource(/ghost\/sign/);
     }