Browse Source

Added anti-forgery tokens to user account related requests. Unable to add to login/registration due to cross-domain support for the login/registration form.

tags/2.0.3
Teknikode 3 years ago
parent
commit
53d6fc1628

+ 8
- 0
Teknik/Areas/User/Controllers/UserController.cs View File

@@ -314,6 +314,7 @@ namespace Teknik.Areas.Users.Controllers
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(string curPass, string newPass, string newPassConfirm, string pgpPublicKey, string recoveryEmail, bool allowTrustedDevices, bool twoFactorEnabled, string website, string quote, string about, string blogTitle, string blogDesc, bool saveKey, bool serverSideEncrypt)
{
if (ModelState.IsValid)
@@ -435,6 +436,7 @@ namespace Teknik.Areas.Users.Controllers
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Delete()
{
if (ModelState.IsValid)
@@ -473,6 +475,7 @@ namespace Teknik.Areas.Users.Controllers
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ResendVerifyRecoveryEmail()
{
if (ModelState.IsValid)
@@ -517,6 +520,7 @@ namespace Teknik.Areas.Users.Controllers

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult SendResetPasswordVerification(string username)
{
if (ModelState.IsValid)
@@ -573,6 +577,7 @@ namespace Teknik.Areas.Users.Controllers
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult SetUserPassword(string password, string confirmPassword)
{
if (ModelState.IsValid)
@@ -626,6 +631,7 @@ namespace Teknik.Areas.Users.Controllers

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult ConfirmAuthenticatorCode(string code, string returnUrl, bool rememberMe, bool rememberDevice, string deviceName)
{
User user = (User)Session["AuthenticatedUser"];
@@ -673,6 +679,7 @@ namespace Teknik.Areas.Users.Controllers
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult VerifyAuthenticatorCode(string code)
{
User user = UserHelper.GetUser(db, User.Identity.Name);
@@ -709,6 +716,7 @@ namespace Teknik.Areas.Users.Controllers
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ClearTrustedDevices()
{
try

+ 2
- 2
Teknik/Areas/User/Scripts/CheckAuthCode.js View File

@@ -10,12 +10,12 @@
$.ajax({
type: "POST",
url: confirmAuthCodeURL,
data: {
data: AddAntiForgeryToken({
code: setCode,
returnUrl: returnUrl,
rememberMe: rememberMe,
rememberDevice: rememberDevice
},
}),
xhrFields: {
withCredentials: true
},

+ 11
- 11
Teknik/Areas/User/Scripts/User.js View File

@@ -8,7 +8,7 @@
$.ajax({
type: "POST",
url: resendVerifyURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
window.location.reload();
@@ -43,9 +43,9 @@
$.ajax({
type: "POST",
url: confirmAuthSetupURL,
data: {
data: AddAntiForgeryToken({
code: setCode
},
}),
success: function (html) {
if (html.result) {
$("#authSetupStatus").css('display', 'inline', 'important');
@@ -70,7 +70,7 @@
$.ajax({
type: "POST",
url: clearTrustedDevicesURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
$('#ClearDevices').html('Clear Trusted Devices (0)');
@@ -98,7 +98,7 @@
$.ajax({
type: "POST",
url: deleteUserURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
window.location.replace(homeUrl);
@@ -141,7 +141,7 @@
$.ajax({
type: "POST",
url: editUserURL,
data: {
data: AddAntiForgeryToken({
curPass: current_password,
newPass: password,
newPassConfirm: password_confirm,
@@ -156,7 +156,7 @@
blogDesc: blog_desc,
saveKey: upload_saveKey,
serverSideEncrypt: upload_serverSideEncrypt
},
}),
success: function (html) {
$.unblockUI();
if (html.result) {
@@ -190,9 +190,9 @@
$.ajax({
type: "POST",
url: form.attr('action'),
data: {
data: AddAntiForgeryToken({
username: username
},
}),
success: function (html) {
if (html.result) {
$("#top_msg").css('display', 'inline', 'important');
@@ -217,10 +217,10 @@
$.ajax({
type: "POST",
url: form.attr('action'),
data: {
data: AddAntiForgeryToken({
password: password,
confirmPassword: confirmPassword
},
}),
success: function (html) {
if (html.result) {
$("#top_msg").css('display', 'inline', 'important');

+ 42
- 0
Teknik/Scripts/Common.js View File

@@ -86,6 +86,43 @@ $(function () {
if (lastTab) {
$('[href="' + lastTab + '"]').tab('show');
}

$.appendAntiForgeryToken = function (data, token) {
// Converts data if not already a string.
if (data && typeof data !== "string") {
data = $.param(data);
}

// Gets token from current window by default.
token = token ? token : $.getAntiForgeryToken(); // $.getAntiForgeryToken(window).

data = data ? data + "&" : "";
// If token exists, appends {token.name}={token.value} to data.
return token ? data + encodeURIComponent(token.name) + "=" + encodeURIComponent(token.value) : data;
};

$.getAntiForgeryToken = function (tokenWindow, appPath) {
// HtmlHelper.AntiForgeryToken() must be invoked to print the token.
tokenWindow = tokenWindow && typeof tokenWindow === typeof window ? tokenWindow : window;

appPath = appPath && typeof appPath === "string" ? "_" + appPath.toString() : "";
// The name attribute is either __RequestVerificationToken,
// or __RequestVerificationToken_{appPath}.
var tokenName = "__RequestVerificationToken" + appPath;

// Finds the <input type="hidden" name={tokenName} value="..." /> from the specified window.
// var inputElements = tokenWindow.$("input[type='hidden'][name=' + tokenName + "']");
var inputElements = tokenWindow.document.getElementsByTagName("input");
for (var i = 0; i < inputElements.length; i++) {
var inputElement = inputElements[i];
if (inputElement.type === "hidden" && inputElement.name === tokenName) {
return {
name: tokenName,
value: inputElement.value
};
}
}
};
});

function removeAmp(code) {
@@ -132,6 +169,11 @@ function getAnchor() {
return (urlParts.length > 1) ? urlParts[1] : null;
}

AddAntiForgeryToken = function (data) {
data.__RequestVerificationToken = $('#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]').val();
return data;
};

/***************************** TIMER Page Load *******************************/
var loopTime;
var startTime = new Date();

+ 4
- 0
Teknik/Views/Shared/_Layout.cshtml View File

@@ -63,6 +63,10 @@
</div>
</noscript>

<!-- Anti-Forgery Token -->
<!-- used for ajax in AddAntiForgeryToken() -->
<form id="__AjaxAntiForgeryForm" action="#" method="post">@Html.AntiForgeryToken()</form>

@RenderBody()
</div>
@Html.Partial("_Footer")

Loading…
Cancel
Save