From b30b3bd0faae77830944def1713781c5bf1b3fab Mon Sep 17 00:00:00 2001 From: the lemons Date: Fri, 7 Apr 2023 06:27:11 -0500 Subject: CSRF prevention --- auth.cgi | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'auth.cgi') diff --git a/auth.cgi b/auth.cgi index b6513d6..3005f02 100755 --- a/auth.cgi +++ b/auth.cgi @@ -202,12 +202,12 @@ post["^/login$"] = function(info) end end -local function account_page(user, messages) +local function account_page(user, token, messages) return citrine.page {title = "user profile", function() citrine.h1 "user profile" html.div({class = 'box user-settings'}, function() html.h2(user:get "username") - forms.user_settings(user, messages) + forms.user_settings(user, token, messages) end) end} end @@ -218,7 +218,7 @@ get["^/account$"] = function(info) if not user then cgi.redirect(302, "/login") end - return 'text/html', account_page(user) + return 'text/html', account_page(user, info.cookie.token) end post["^/account$"] = function(info) @@ -231,6 +231,10 @@ post["^/account$"] = function(info) if not form then cgi.abort(400) end + -- prevent CSRF + if form.token ~= info.cookie.token then + cgi.abort(400) + end if form.logout then if form.everywhere then user:revoke_tokens() @@ -275,7 +279,7 @@ post["^/account$"] = function(info) end txn:commit() user.txn = db.txn() - return 'text/html', account_page(user, messages) + return 'text/html', account_page(user, info.cookie.token, messages) end get["^/api/user/(%w+)$"] = function(info, uid) -- cgit v1.2.3