Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

csrf: reuse the cookie in reset password

no need to generate a new cookie each time.

Signed-off-by: Nicola Murino <[email protected]>
Nicola Murino 1 year ago
parent
8208ac817d
commit
bd5b32101f
3 changed files with 6 additions and 4 deletions
Split View Show Diff Stats
  1. 4 2
      internal/httpd/server.go
  2. 1 1
      internal/httpd/webadmin.go
  3. 1 1
      internal/httpd/webclient.go

+ 4 - 2
internal/httpd/server.go
View File 

@@ -1530,7 +1530,8 @@ func (s *httpdServer) setupWebClientRoutes() {
 
 			s.router.Get(webClientForgotPwdPath, s.handleWebClientForgotPwd)
 
 			s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 
 				Post(webClientForgotPwdPath, s.handleWebClientForgotPwdPost)
 
-			s.router.Get(webClientResetPwdPath, s.handleWebClientPasswordReset)
 
+			s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 
+				Get(webClientResetPwdPath, s.handleWebClientPasswordReset)
 
 			s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 
 				Post(webClientResetPwdPath, s.handleWebClientPasswordResetPost)
 
 			s.router.With(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie),
 
@@ -1667,7 +1668,8 @@ func (s *httpdServer) setupWebAdminRoutes() {
 
 			s.router.Get(webAdminForgotPwdPath, s.handleWebAdminForgotPwd)
 
 			s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 
 				Post(webAdminForgotPwdPath, s.handleWebAdminForgotPwdPost)
 
-			s.router.Get(webAdminResetPwdPath, s.handleWebAdminPasswordReset)
 
+			s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 
+				Get(webAdminResetPwdPath, s.handleWebAdminPasswordReset)
 
 			s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 
 				Post(webAdminResetPwdPath, s.handleWebAdminPasswordResetPost)
 
 		}

+ 1 - 1
internal/httpd/webadmin.go
View File 

@@ -729,7 +729,7 @@ func (s *httpdServer) renderResetPwdPage(w http.ResponseWriter, r *http.Request,
 
 		commonBasePage: getCommonBasePage(r),
 
 		CurrentURL:     webAdminResetPwdPath,
 
 		Error:          err,
 
-		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseAdminPath),
 
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseAdminPath),
 
 		LoginURL:       webAdminLoginPath,
 
 		Title:          util.I18nResetPwdTitle,
 
 		Branding:       s.binding.Branding.WebAdmin,

+ 1 - 1
internal/httpd/webclient.go
View File 

@@ -570,7 +570,7 @@ func (s *httpdServer) renderClientResetPwdPage(w http.ResponseWriter, r *http.Re
 
 		commonBasePage: getCommonBasePage(r),
 
 		CurrentURL:     webClientResetPwdPath,
 
 		Error:          err,
 
-		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseClientPath),
 
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath),
 
 		LoginURL:       webClientLoginPath,
 
 		Title:          util.I18nResetPwdTitle,
 
 		Branding:       s.binding.Branding.WebClient,