diff options
author | the lemons <citrons@mondecitronne.com> | 2023-04-07 06:27:11 -0500 |
---|---|---|
committer | the lemons <citrons@mondecitronne.com> | 2023-04-07 06:27:11 -0500 |
commit | b30b3bd0faae77830944def1713781c5bf1b3fab (patch) | |
tree | b620e2114b814185b63bf1e08086d835bba816e9 | |
parent | d9bfac3d1628e328abaf9e11006d444412ce3f94 (diff) |
CSRF prevention
-rwxr-xr-x | auth.cgi | 12 | ||||
-rw-r--r-- | forms.lua | 6 |
2 files changed, 13 insertions, 5 deletions
@@ -202,12 +202,12 @@ post["^/login$"] = function(info) end end -local function account_page(user, messages) +local function account_page(user, token, messages) return citrine.page {title = "user profile", function() citrine.h1 "user profile" html.div({class = 'box user-settings'}, function() html.h2(user:get "username") - forms.user_settings(user, messages) + forms.user_settings(user, token, messages) end) end} end @@ -218,7 +218,7 @@ get["^/account$"] = function(info) if not user then cgi.redirect(302, "/login") end - return 'text/html', account_page(user) + return 'text/html', account_page(user, info.cookie.token) end post["^/account$"] = function(info) @@ -231,6 +231,10 @@ post["^/account$"] = function(info) if not form then cgi.abort(400) end + -- prevent CSRF + if form.token ~= info.cookie.token then + cgi.abort(400) + end if form.logout then if form.everywhere then user:revoke_tokens() @@ -275,7 +279,7 @@ post["^/account$"] = function(info) end txn:commit() user.txn = db.txn() - return 'text/html', account_page(user, messages) + return 'text/html', account_page(user, info.cookie.token, messages) end get["^/api/user/(%w+)$"] = function(info, uid) @@ -86,13 +86,15 @@ function M.connect(uid, token, meta, endpoint) end) end -function M.user_settings(user, messages) +function M.user_settings(user, token, messages) show_messages(messages) html.form({method = "POST"}, function() + hidden('token', token) input('text', 'username', "username: ", user:get "username", "change") end) html.form({method = "POST"}, function() + hidden('token', token) input('email', 'email', "email: ", user:get "email", "change") end) @@ -102,11 +104,13 @@ function M.user_settings(user, messages) input('password', 'password', "current password: ") input('password', 'new_password', "new password: ") input('password', 'confirm_password', "confirm password: ") + hidden('token', token) input('submit', nil, nil, "change") end) html.h3 "log out" html.form({method = "POST"}, function() hidden('logout', 'yes') + hidden('token', token) input('checkbox', 'everywhere', "log out everywhere", nil, "log out") end) |