From b30b3bd0faae77830944def1713781c5bf1b3fab Mon Sep 17 00:00:00 2001
From: the lemons <citrons@mondecitronne.com>
Date: Fri, 7 Apr 2023 06:27:11 -0500
Subject: CSRF prevention

---
 auth.cgi  | 12 ++++++++----
 forms.lua |  6 +++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/auth.cgi b/auth.cgi
index b6513d6..3005f02 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -202,12 +202,12 @@ post["^/login$"] = function(info)
 	end
 end
 
-local function account_page(user, messages)
+local function account_page(user, token, messages)
 	return citrine.page {title = "user profile", function()
 		citrine.h1 "user profile"
 		html.div({class = 'box user-settings'}, function()
 			html.h2(user:get "username")
-			forms.user_settings(user, messages)
+			forms.user_settings(user, token, messages)
 		end)
 	end}
 end
@@ -218,7 +218,7 @@ get["^/account$"] = function(info)
 	if not user then
 		cgi.redirect(302, "/login")
 	end
-	return 'text/html', account_page(user)
+	return 'text/html', account_page(user, info.cookie.token)
 end
 
 post["^/account$"] = function(info)
@@ -231,6 +231,10 @@ post["^/account$"] = function(info)
 	if not form then
 		cgi.abort(400)
 	end
+	-- prevent CSRF
+	if form.token ~= info.cookie.token then
+		cgi.abort(400)
+	end
 	if form.logout then
 		if form.everywhere then
 			user:revoke_tokens()
@@ -275,7 +279,7 @@ post["^/account$"] = function(info)
 	end
 	txn:commit()
 	user.txn = db.txn()
-	return 'text/html', account_page(user, messages)
+	return 'text/html', account_page(user, info.cookie.token, messages)
 end
 
 get["^/api/user/(%w+)$"] = function(info, uid)
diff --git a/forms.lua b/forms.lua
index d4084a4..50ee140 100644
--- a/forms.lua
+++ b/forms.lua
@@ -86,13 +86,15 @@ function M.connect(uid, token, meta, endpoint)
 	end)
 end
 
-function M.user_settings(user, messages)
+function M.user_settings(user, token, messages)
 	show_messages(messages)
 	html.form({method = "POST"}, function()
+		hidden('token', token)
 		input('text', 'username',
 			"username: ", user:get "username", "change")
 	end)
 	html.form({method = "POST"}, function()
+		hidden('token', token)
 		input('email', 'email',
 			"email: ", user:get "email", "change")
 	end)
@@ -102,11 +104,13 @@ function M.user_settings(user, messages)
 		input('password', 'password', "current password: ")
 		input('password', 'new_password', "new password: ")
 		input('password', 'confirm_password', "confirm password: ")
+		hidden('token', token)
 		input('submit', nil, nil, "change")
 	end)
 	html.h3 "log out"
 	html.form({method = "POST"}, function()
 		hidden('logout', 'yes')
+		hidden('token', token)
 		input('checkbox', 'everywhere',
 			"log out everywhere", nil, "log out")
 	end)
-- 
cgit v1.2.3