diff options
Diffstat (limited to 'auth.cgi')
-rwxr-xr-x | auth.cgi | 12 |
1 files changed, 8 insertions, 4 deletions
@@ -202,12 +202,12 @@ post["^/login$"] = function(info) end end -local function account_page(user, messages) +local function account_page(user, token, messages) return citrine.page {title = "user profile", function() citrine.h1 "user profile" html.div({class = 'box user-settings'}, function() html.h2(user:get "username") - forms.user_settings(user, messages) + forms.user_settings(user, token, messages) end) end} end @@ -218,7 +218,7 @@ get["^/account$"] = function(info) if not user then cgi.redirect(302, "/login") end - return 'text/html', account_page(user) + return 'text/html', account_page(user, info.cookie.token) end post["^/account$"] = function(info) @@ -231,6 +231,10 @@ post["^/account$"] = function(info) if not form then cgi.abort(400) end + -- prevent CSRF + if form.token ~= info.cookie.token then + cgi.abort(400) + end if form.logout then if form.everywhere then user:revoke_tokens() @@ -275,7 +279,7 @@ post["^/account$"] = function(info) end txn:commit() user.txn = db.txn() - return 'text/html', account_page(user, messages) + return 'text/html', account_page(user, info.cookie.token, messages) end get["^/api/user/(%w+)$"] = function(info, uid) |