MirrorMirror
/
lufi
mirror of https://framagit.org/fiat-tux/hat-softwares/lufi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add CSRF token challenge on login

This commit is contained in:
Luc Didry 2018-10-26 14:50:57 +02:00
parent 86c319bac9
commit 548f838e60
No known key found for this signature in database
GPG Key ID: EA868E12D0257E3C
4 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@ -17,6 +17,7 @@ Revision history for Lufi
- Add a test suite - Add a test suite
- MySQL support - MySQL support
- Display max size on upload page - Display max size on upload page
- Add CSRF token challenge on login
0.02.2 2017-09-18 0.02.2 2017-09-18
- Fix cron tasks bug - Fix cron tasks bug

13
lib/Lufi/Controller/Auth.pm
View File

@ -18,11 +18,16 @@ sub login {
my $login = $c->param('login'); my $login = $c->param('login');
my $pwd = $c->param('password'); my $pwd = $c->param('password');
if($c->authenticate($login, $pwd)) { if ($c->validation->csrf_protect->has_error('csrf_token')) {
$c->redirect_to('index'); $c->stash(msg => $c->l('Bad CSRF token.'));
} else {
$c->stash(msg => $c->l('Please, check your credentials or your right to access this service: unable to authenticate.'));
$c->render(template => 'login'); $c->render(template => 'login');
} else {
if($c->authenticate($login, $pwd)) {
$c->redirect_to('index');
} else {
$c->stash(msg => $c->l('Please, check your credentials or your right to access this service: unable to authenticate.'));
$c->render(template => 'login');
}
} }
} }

10
t/test.t
View File

@ -202,7 +202,15 @@ sub test_login {
->status_is(200) ->status_is(200)
->content_like(qr@Signin@); ->content_like(qr@Signin@);
$t->post_ok('/login' => form => { login => $login, password => $pass }) my $token = '';
$t->post_ok('/login' => form => { login => $login, password => $pass, csrf_token => $token })
->status_is(200)
->content_like(qr@Bad CSRF token\.@);
$token = $t->ua->get('/login')->res->dom->find('input[name="csrf_token"]')->first->attr('value');
$t->post_ok('/login' => form => { login => $login, password => $pass, csrf_token => $token })
->status_is(302) ->status_is(302)
->header_is(Location => '/'); ->header_is(Location => '/');

1
themes/default/templates/login.html.ep
View File

@ -21,6 +21,7 @@
<label for="password"><%= l('Password') %></label> <label for="password"><%= l('Password') %></label>
</div> </div>
</div> </div>
%= csrf_field
<div class="col s8 m8 offset-s2 offset-m2"> <div class="col s8 m8 offset-s2 offset-m2">
<button class="btn waves-effect waves-light" type="submit" name="action"> <button class="btn waves-effect waves-light" type="submit" name="action">
<%= l('Signin') %> <%= l('Signin') %>