Add CSRF token challenge on login

2018-10-26 14:50:57 +02:00 · 2018-10-26 14:50:57 +02:00 · 548f838e60
parent 86c319bac9
commit 548f838e60
4 changed files with 20 additions and 5 deletions
--- a/1
+++ b/1
@ -17,6 +17,7 @@ Revision history for Lufi
 	- Add a test suite
 	- MySQL support
 	- Display max size on upload page
+	- Add CSRF token challenge on login

 0.02.2 2017-09-18
 	- Fix cron tasks bug
--- a/lib/Lufi/Controller/Auth.pm
+++ b/lib/Lufi/Controller/Auth.pm
@ -18,11 +18,16 @@ sub login {
    my $login = $c->param('login');
    my $pwd   = $c->param('password');

-    if($c->authenticate($login, $pwd)) {
-        $c->redirect_to('index');
-    } else {
-        $c->stash(msg => $c->l('Please, check your credentials or your right to access this service: unable to authenticate.'));
+    if ($c->validation->csrf_protect->has_error('csrf_token')) {
+        $c->stash(msg => $c->l('Bad CSRF token.'));
        $c->render(template => 'login');
+    } else {
+        if($c->authenticate($login, $pwd)) {
+            $c->redirect_to('index');
+        } else {
+            $c->stash(msg => $c->l('Please, check your credentials or your right to access this service: unable to authenticate.'));
+            $c->render(template => 'login');
+        }
    }
 }

--- a/t/test.t
+++ b/t/test.t
@ -202,7 +202,15 @@ sub test_login {
      ->status_is(200)
      ->content_like(qr@Signin@);

-    $t->post_ok('/login' => form => { login => $login, password => $pass })
+    my $token = '';
+
+    $t->post_ok('/login' => form => { login => $login, password => $pass, csrf_token => $token })
+      ->status_is(200)
+      ->content_like(qr@Bad CSRF token\.@);
+
+    $token = $t->ua->get('/login')->res->dom->find('input[name="csrf_token"]')->first->attr('value');
+
+    $t->post_ok('/login' => form => { login => $login, password => $pass, csrf_token => $token })
      ->status_is(302)
      ->header_is(Location => '/');

--- a/themes/default/templates/login.html.ep
+++ b/themes/default/templates/login.html.ep
@ -21,6 +21,7 @@
            <label for="password"><%= l('Password') %></label>
        </div>
    </div>
+    %= csrf_field
    <div class="col s8 m8 offset-s2 offset-m2">
        <button class="btn waves-effect waves-light" type="submit" name="action">
            <%= l('Signin') %>