csrf: reuse the cookie in reset password

no need to generate a new cookie each time.

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2024-06-15 15:18:17 +02:00
parent 8208ac817d
commit bd5b32101f
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
3 changed files with 6 additions and 4 deletions

View file

@ -1530,7 +1530,8 @@ func (s *httpdServer) setupWebClientRoutes() {
s.router.Get(webClientForgotPwdPath, s.handleWebClientForgotPwd) s.router.Get(webClientForgotPwdPath, s.handleWebClientForgotPwd)
s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
Post(webClientForgotPwdPath, s.handleWebClientForgotPwdPost) Post(webClientForgotPwdPath, s.handleWebClientForgotPwdPost)
s.router.Get(webClientResetPwdPath, s.handleWebClientPasswordReset) s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
Get(webClientResetPwdPath, s.handleWebClientPasswordReset)
s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
Post(webClientResetPwdPath, s.handleWebClientPasswordResetPost) Post(webClientResetPwdPath, s.handleWebClientPasswordResetPost)
s.router.With(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie), s.router.With(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie),
@ -1667,7 +1668,8 @@ func (s *httpdServer) setupWebAdminRoutes() {
s.router.Get(webAdminForgotPwdPath, s.handleWebAdminForgotPwd) s.router.Get(webAdminForgotPwdPath, s.handleWebAdminForgotPwd)
s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
Post(webAdminForgotPwdPath, s.handleWebAdminForgotPwdPost) Post(webAdminForgotPwdPath, s.handleWebAdminForgotPwdPost)
s.router.Get(webAdminResetPwdPath, s.handleWebAdminPasswordReset) s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
Get(webAdminResetPwdPath, s.handleWebAdminPasswordReset)
s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)). s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
Post(webAdminResetPwdPath, s.handleWebAdminPasswordResetPost) Post(webAdminResetPwdPath, s.handleWebAdminPasswordResetPost)
} }

View file

@ -729,7 +729,7 @@ func (s *httpdServer) renderResetPwdPage(w http.ResponseWriter, r *http.Request,
commonBasePage: getCommonBasePage(r), commonBasePage: getCommonBasePage(r),
CurrentURL: webAdminResetPwdPath, CurrentURL: webAdminResetPwdPath,
Error: err, Error: err,
CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseAdminPath), CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseAdminPath),
LoginURL: webAdminLoginPath, LoginURL: webAdminLoginPath,
Title: util.I18nResetPwdTitle, Title: util.I18nResetPwdTitle,
Branding: s.binding.Branding.WebAdmin, Branding: s.binding.Branding.WebAdmin,

View file

@ -570,7 +570,7 @@ func (s *httpdServer) renderClientResetPwdPage(w http.ResponseWriter, r *http.Re
commonBasePage: getCommonBasePage(r), commonBasePage: getCommonBasePage(r),
CurrentURL: webClientResetPwdPath, CurrentURL: webClientResetPwdPath,
Error: err, Error: err,
CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseClientPath), CSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath),
LoginURL: webClientLoginPath, LoginURL: webClientLoginPath,
Title: util.I18nResetPwdTitle, Title: util.I18nResetPwdTitle,
Branding: s.binding.Branding.WebClient, Branding: s.binding.Branding.WebClient,