Teknikode
/
Teknik
3
17
Fork 5
Code Issues 39 Pull Requests 1 Releases 2 Wiki Activity
Browse Source

Added anti-forgery tokens to user account related requests. Unable to add to login/registration due to cross-domain support for the login/registration form.

pull/29/head
Teknikode 6 years ago
parent
f039a81925
commit
53d6fc1628
5 changed files with 67 additions and 13 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      Teknik/Areas/User/Controllers/UserController.cs
  2. 4
      Teknik/Areas/User/Scripts/CheckAuthCode.js
  3. 22
      Teknik/Areas/User/Scripts/User.js
  4. 42
      Teknik/Scripts/Common.js
  5. 4
      Teknik/Views/Shared/_Layout.cshtml

8
Teknik/Areas/User/Controllers/UserController.cs
Unescape View File

@ -314,6 +314,7 @@ namespace Teknik.Areas.Users.Controllers @@ -314,6 +314,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(string curPass, string newPass, string newPassConfirm, string pgpPublicKey, string recoveryEmail, bool allowTrustedDevices, bool twoFactorEnabled, string website, string quote, string about, string blogTitle, string blogDesc, bool saveKey, bool serverSideEncrypt)
{
if (ModelState.IsValid)
@ -435,6 +436,7 @@ namespace Teknik.Areas.Users.Controllers @@ -435,6 +436,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Delete()
{
if (ModelState.IsValid)
@ -473,6 +475,7 @@ namespace Teknik.Areas.Users.Controllers @@ -473,6 +475,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ResendVerifyRecoveryEmail()
{
if (ModelState.IsValid)
@ -517,6 +520,7 @@ namespace Teknik.Areas.Users.Controllers @@ -517,6 +520,7 @@ namespace Teknik.Areas.Users.Controllers
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult SendResetPasswordVerification(string username)
{
if (ModelState.IsValid)
@ -573,6 +577,7 @@ namespace Teknik.Areas.Users.Controllers @@ -573,6 +577,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult SetUserPassword(string password, string confirmPassword)
{
if (ModelState.IsValid)
@ -626,6 +631,7 @@ namespace Teknik.Areas.Users.Controllers @@ -626,6 +631,7 @@ namespace Teknik.Areas.Users.Controllers
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult ConfirmAuthenticatorCode(string code, string returnUrl, bool rememberMe, bool rememberDevice, string deviceName)
{
User user = (User)Session["AuthenticatedUser"];
@ -673,6 +679,7 @@ namespace Teknik.Areas.Users.Controllers @@ -673,6 +679,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult VerifyAuthenticatorCode(string code)
{
User user = UserHelper.GetUser(db, User.Identity.Name);
@ -709,6 +716,7 @@ namespace Teknik.Areas.Users.Controllers @@ -709,6 +716,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ClearTrustedDevices()
{
try

4
Teknik/Areas/User/Scripts/CheckAuthCode.js
Unescape View File

@ -10,12 +10,12 @@ @@ -10,12 +10,12 @@
$.ajax({
type: "POST",
url: confirmAuthCodeURL,
data: {
data: AddAntiForgeryToken({
code: setCode,
returnUrl: returnUrl,
rememberMe: rememberMe,
rememberDevice: rememberDevice
},
}),
xhrFields: {
withCredentials: true
},

22
Teknik/Areas/User/Scripts/User.js
Unescape View File

@ -8,7 +8,7 @@ @@ -8,7 +8,7 @@
$.ajax({
type: "POST",
url: resendVerifyURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
window.location.reload();
@ -43,9 +43,9 @@ @@ -43,9 +43,9 @@
$.ajax({
type: "POST",
url: confirmAuthSetupURL,
data: {
data: AddAntiForgeryToken({
code: setCode
},
}),
success: function (html) {
if (html.result) {
$("#authSetupStatus").css('display', 'inline', 'important');
@ -70,7 +70,7 @@ @@ -70,7 +70,7 @@
$.ajax({
type: "POST",
url: clearTrustedDevicesURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
$('#ClearDevices').html('Clear Trusted Devices (0)');
@ -98,7 +98,7 @@ @@ -98,7 +98,7 @@
$.ajax({
type: "POST",
url: deleteUserURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
window.location.replace(homeUrl);
@ -141,7 +141,7 @@ @@ -141,7 +141,7 @@
$.ajax({
type: "POST",
url: editUserURL,
data: {
data: AddAntiForgeryToken({
curPass: current_password,
newPass: password,
newPassConfirm: password_confirm,
@ -156,7 +156,7 @@ @@ -156,7 +156,7 @@
blogDesc: blog_desc,
saveKey: upload_saveKey,
serverSideEncrypt: upload_serverSideEncrypt
},
}),
success: function (html) {
$.unblockUI();
if (html.result) {
@ -190,9 +190,9 @@ @@ -190,9 +190,9 @@
$.ajax({
type: "POST",
url: form.attr('action'),
data: {
data: AddAntiForgeryToken({
username: username
},
}),
success: function (html) {
if (html.result) {
$("#top_msg").css('display', 'inline', 'important');
@ -217,10 +217,10 @@ @@ -217,10 +217,10 @@
$.ajax({
type: "POST",
url: form.attr('action'),
data: {
data: AddAntiForgeryToken({
password: password,
confirmPassword: confirmPassword
},
}),
success: function (html) {
if (html.result) {
$("#top_msg").css('display', 'inline', 'important');

42
Teknik/Scripts/Common.js
Unescape View File

@ -86,6 +86,43 @@ $(function () { @@ -86,6 +86,43 @@ $(function () {
if (lastTab) {
$('[href="' + lastTab + '"]').tab('show');
}
$.appendAntiForgeryToken = function (data, token) {
// Converts data if not already a string.
if (data && typeof data !== "string") {
data = $.param(data);
}
// Gets token from current window by default.
token = token ? token : $.getAntiForgeryToken(); // $.getAntiForgeryToken(window).
data = data ? data + "&" : "";
// If token exists, appends {token.name}={token.value} to data.
return token ? data + encodeURIComponent(token.name) + "=" + encodeURIComponent(token.value) : data;
};
$.getAntiForgeryToken = function (tokenWindow, appPath) {
// HtmlHelper.AntiForgeryToken() must be invoked to print the token.
tokenWindow = tokenWindow && typeof tokenWindow === typeof window ? tokenWindow : window;
appPath = appPath && typeof appPath === "string" ? "_" + appPath.toString() : "";
// The name attribute is either __RequestVerificationToken,
// or __RequestVerificationToken_{appPath}.
var tokenName = "__RequestVerificationToken" + appPath;
// Finds the <input type="hidden" name={tokenName} value="..." /> from the specified window.
// var inputElements = tokenWindow.$("input[type='hidden'][name=' + tokenName + "']");
var inputElements = tokenWindow.document.getElementsByTagName("input");
for (var i = 0; i < inputElements.length; i++) {
var inputElement = inputElements[i];
if (inputElement.type === "hidden" && inputElement.name === tokenName) {
return {
name: tokenName,
value: inputElement.value
};
}
}
};
});
function removeAmp(code) {
@ -132,6 +169,11 @@ function getAnchor() { @@ -132,6 +169,11 @@ function getAnchor() {
return (urlParts.length > 1) ? urlParts[1] : null;
}
AddAntiForgeryToken = function (data) {
data.__RequestVerificationToken = $('#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]').val();
return data;
};
/***************************** TIMER Page Load *******************************/
var loopTime;
var startTime = new Date();

4
Teknik/Views/Shared/_Layout.cshtml
Unescape View File

@ -63,6 +63,10 @@ @@ -63,6 +63,10 @@
</div>
</noscript>
<!-- Anti-Forgery Token -->
<!-- used for ajax in AddAntiForgeryToken() -->
<form id="__AjaxAntiForgeryForm" action="#" method="post">@Html.AntiForgeryToken()</form>
@RenderBody()
</div>
@Html.Partial("_Footer")

Write Preview
Loading…
Cancel
Save