1 files changed, 8 insertions, 4 deletions

diff --git a/auth.cgi b/auth.cgi
index b6513d6..3005f02 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -202,12 +202,12 @@ post["^/login$"] = function(info)
 	end
 end
 
-local function account_page(user, messages)
+local function account_page(user, token, messages)
 	return citrine.page {title = "user profile", function()
 		citrine.h1 "user profile"
 		html.div({class = 'box user-settings'}, function()
 			html.h2(user:get "username")
-			forms.user_settings(user, messages)
+			forms.user_settings(user, token, messages)
 		end)
 	end}
 end
@@ -218,7 +218,7 @@ get["^/account$"] = function(info)
 	if not user then
 		cgi.redirect(302, "/login")
 	end
-	return 'text/html', account_page(user)
+	return 'text/html', account_page(user, info.cookie.token)
 end
 
 post["^/account$"] = function(info)
@@ -231,6 +231,10 @@ post["^/account$"] = function(info)
 	if not form then
 		cgi.abort(400)
 	end
+	-- prevent CSRF
+	if form.token ~= info.cookie.token then
+		cgi.abort(400)
+	end
 	if form.logout then
 		if form.everywhere then
 			user:revoke_tokens()
@@ -275,7 +279,7 @@ post["^/account$"] = function(info)
 	end
 	txn:commit()
 	user.txn = db.txn()
-	return 'text/html', account_page(user, messages)
+	return 'text/html', account_page(user, info.cookie.token, messages)
 end
 
 get["^/api/user/(%w+)$"] = function(info, uid)