From bd5b32101fd740339b7b7bffa802e25cf491ad1f Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 15 Jun 2024 15:18:17 +0200 Subject: [PATCH] csrf: reuse the cookie in reset password no need to generate a new cookie each time. Signed-off-by: Nicola Murino --- internal/httpd/server.go | 6 ++++-- internal/httpd/webadmin.go | 2 +- internal/httpd/webclient.go | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/internal/httpd/server.go b/internal/httpd/server.go index c8a7e3c9..01918377 100644 --- a/internal/httpd/server.go +++ b/internal/httpd/server.go @@ -1530,7 +1530,8 @@ func (s *httpdServer) setupWebClientRoutes() { s.router.Get(webClientForgotPwdPath, s.handleWebClientForgotPwd) s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). Post(webClientForgotPwdPath, s.handleWebClientForgotPwdPost) - s.router.Get(webClientResetPwdPath, s.handleWebClientPasswordReset) + s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). + Get(webClientResetPwdPath, s.handleWebClientPasswordReset) s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). Post(webClientResetPwdPath, s.handleWebClientPasswordResetPost) s.router.With(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie), @@ -1667,7 +1668,8 @@ func (s *httpdServer) setupWebAdminRoutes() { s.router.Get(webAdminForgotPwdPath, s.handleWebAdminForgotPwd) s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). Post(webAdminForgotPwdPath, s.handleWebAdminForgotPwdPost) - s.router.Get(webAdminResetPwdPath, s.handleWebAdminPasswordReset) + s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). + Get(webAdminResetPwdPath, s.handleWebAdminPasswordReset) s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). Post(webAdminResetPwdPath, s.handleWebAdminPasswordResetPost) } diff --git a/internal/httpd/webadmin.go b/internal/httpd/webadmin.go index a3ee7269..c19bee1c 100644 --- a/internal/httpd/webadmin.go +++ b/internal/httpd/webadmin.go @@ -729,7 +729,7 @@ func (s *httpdServer) renderResetPwdPage(w http.ResponseWriter, r *http.Request, commonBasePage: getCommonBasePage(r), CurrentURL: webAdminResetPwdPath, Error: err, - CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseAdminPath), + CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseAdminPath), LoginURL: webAdminLoginPath, Title: util.I18nResetPwdTitle, Branding: s.binding.Branding.WebAdmin, diff --git a/internal/httpd/webclient.go b/internal/httpd/webclient.go index 88596dc3..6f0ed5a3 100644 --- a/internal/httpd/webclient.go +++ b/internal/httpd/webclient.go @@ -570,7 +570,7 @@ func (s *httpdServer) renderClientResetPwdPage(w http.ResponseWriter, r *http.Re commonBasePage: getCommonBasePage(r), CurrentURL: webClientResetPwdPath, Error: err, - CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseClientPath), + CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath), LoginURL: webClientLoginPath, Title: util.I18nResetPwdTitle, Branding: s.binding.Branding.WebClient,