Browse Source

Added anti-forgery tokens to user account related requests. Unable to add to login/registration due to cross-domain support for the login/registration form.

pull/29/head
Teknikode 6 years ago
parent
commit
53d6fc1628
  1. 8
      Teknik/Areas/User/Controllers/UserController.cs
  2. 4
      Teknik/Areas/User/Scripts/CheckAuthCode.js
  3. 22
      Teknik/Areas/User/Scripts/User.js
  4. 42
      Teknik/Scripts/Common.js
  5. 4
      Teknik/Views/Shared/_Layout.cshtml

8
Teknik/Areas/User/Controllers/UserController.cs

@ -314,6 +314,7 @@ namespace Teknik.Areas.Users.Controllers @@ -314,6 +314,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(string curPass, string newPass, string newPassConfirm, string pgpPublicKey, string recoveryEmail, bool allowTrustedDevices, bool twoFactorEnabled, string website, string quote, string about, string blogTitle, string blogDesc, bool saveKey, bool serverSideEncrypt)
{
if (ModelState.IsValid)
@ -435,6 +436,7 @@ namespace Teknik.Areas.Users.Controllers @@ -435,6 +436,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Delete()
{
if (ModelState.IsValid)
@ -473,6 +475,7 @@ namespace Teknik.Areas.Users.Controllers @@ -473,6 +475,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ResendVerifyRecoveryEmail()
{
if (ModelState.IsValid)
@ -517,6 +520,7 @@ namespace Teknik.Areas.Users.Controllers @@ -517,6 +520,7 @@ namespace Teknik.Areas.Users.Controllers
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult SendResetPasswordVerification(string username)
{
if (ModelState.IsValid)
@ -573,6 +577,7 @@ namespace Teknik.Areas.Users.Controllers @@ -573,6 +577,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult SetUserPassword(string password, string confirmPassword)
{
if (ModelState.IsValid)
@ -626,6 +631,7 @@ namespace Teknik.Areas.Users.Controllers @@ -626,6 +631,7 @@ namespace Teknik.Areas.Users.Controllers
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult ConfirmAuthenticatorCode(string code, string returnUrl, bool rememberMe, bool rememberDevice, string deviceName)
{
User user = (User)Session["AuthenticatedUser"];
@ -673,6 +679,7 @@ namespace Teknik.Areas.Users.Controllers @@ -673,6 +679,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult VerifyAuthenticatorCode(string code)
{
User user = UserHelper.GetUser(db, User.Identity.Name);
@ -709,6 +716,7 @@ namespace Teknik.Areas.Users.Controllers @@ -709,6 +716,7 @@ namespace Teknik.Areas.Users.Controllers
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ClearTrustedDevices()
{
try

4
Teknik/Areas/User/Scripts/CheckAuthCode.js

@ -10,12 +10,12 @@ @@ -10,12 +10,12 @@
$.ajax({
type: "POST",
url: confirmAuthCodeURL,
data: {
data: AddAntiForgeryToken({
code: setCode,
returnUrl: returnUrl,
rememberMe: rememberMe,
rememberDevice: rememberDevice
},
}),
xhrFields: {
withCredentials: true
},

22
Teknik/Areas/User/Scripts/User.js

@ -8,7 +8,7 @@ @@ -8,7 +8,7 @@
$.ajax({
type: "POST",
url: resendVerifyURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
window.location.reload();
@ -43,9 +43,9 @@ @@ -43,9 +43,9 @@
$.ajax({
type: "POST",
url: confirmAuthSetupURL,
data: {
data: AddAntiForgeryToken({
code: setCode
},
}),
success: function (html) {
if (html.result) {
$("#authSetupStatus").css('display', 'inline', 'important');
@ -70,7 +70,7 @@ @@ -70,7 +70,7 @@
$.ajax({
type: "POST",
url: clearTrustedDevicesURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
$('#ClearDevices').html('Clear Trusted Devices (0)');
@ -98,7 +98,7 @@ @@ -98,7 +98,7 @@
$.ajax({
type: "POST",
url: deleteUserURL,
data: {},
data: AddAntiForgeryToken({}),
success: function (html) {
if (html.result) {
window.location.replace(homeUrl);
@ -141,7 +141,7 @@ @@ -141,7 +141,7 @@
$.ajax({
type: "POST",
url: editUserURL,
data: {
data: AddAntiForgeryToken({
curPass: current_password,
newPass: password,
newPassConfirm: password_confirm,
@ -156,7 +156,7 @@ @@ -156,7 +156,7 @@
blogDesc: blog_desc,
saveKey: upload_saveKey,
serverSideEncrypt: upload_serverSideEncrypt
},
}),
success: function (html) {
$.unblockUI();
if (html.result) {
@ -190,9 +190,9 @@ @@ -190,9 +190,9 @@
$.ajax({
type: "POST",
url: form.attr('action'),
data: {
data: AddAntiForgeryToken({
username: username
},
}),
success: function (html) {
if (html.result) {
$("#top_msg").css('display', 'inline', 'important');
@ -217,10 +217,10 @@ @@ -217,10 +217,10 @@
$.ajax({
type: "POST",
url: form.attr('action'),
data: {
data: AddAntiForgeryToken({
password: password,
confirmPassword: confirmPassword
},
}),
success: function (html) {
if (html.result) {
$("#top_msg").css('display', 'inline', 'important');

42
Teknik/Scripts/Common.js

@ -86,6 +86,43 @@ $(function () { @@ -86,6 +86,43 @@ $(function () {
if (lastTab) {
$('[href="' + lastTab + '"]').tab('show');
}
$.appendAntiForgeryToken = function (data, token) {
// Converts data if not already a string.
if (data && typeof data !== "string") {
data = $.param(data);
}
// Gets token from current window by default.
token = token ? token : $.getAntiForgeryToken(); // $.getAntiForgeryToken(window).
data = data ? data + "&" : "";
// If token exists, appends {token.name}={token.value} to data.
return token ? data + encodeURIComponent(token.name) + "=" + encodeURIComponent(token.value) : data;
};
$.getAntiForgeryToken = function (tokenWindow, appPath) {
// HtmlHelper.AntiForgeryToken() must be invoked to print the token.
tokenWindow = tokenWindow && typeof tokenWindow === typeof window ? tokenWindow : window;
appPath = appPath && typeof appPath === "string" ? "_" + appPath.toString() : "";
// The name attribute is either __RequestVerificationToken,
// or __RequestVerificationToken_{appPath}.
var tokenName = "__RequestVerificationToken" + appPath;
// Finds the <input type="hidden" name={tokenName} value="..." /> from the specified window.
// var inputElements = tokenWindow.$("input[type='hidden'][name=' + tokenName + "']");
var inputElements = tokenWindow.document.getElementsByTagName("input");
for (var i = 0; i < inputElements.length; i++) {
var inputElement = inputElements[i];
if (inputElement.type === "hidden" && inputElement.name === tokenName) {
return {
name: tokenName,
value: inputElement.value
};
}
}
};
});
function removeAmp(code) {
@ -132,6 +169,11 @@ function getAnchor() { @@ -132,6 +169,11 @@ function getAnchor() {
return (urlParts.length > 1) ? urlParts[1] : null;
}
AddAntiForgeryToken = function (data) {
data.__RequestVerificationToken = $('#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]').val();
return data;
};
/***************************** TIMER Page Load *******************************/
var loopTime;
var startTime = new Date();

4
Teknik/Views/Shared/_Layout.cshtml

@ -63,6 +63,10 @@ @@ -63,6 +63,10 @@
</div>
</noscript>
<!-- Anti-Forgery Token -->
<!-- used for ajax in AddAntiForgeryToken() -->
<form id="__AjaxAntiForgeryForm" action="#" method="post">@Html.AntiForgeryToken()</form>
@RenderBody()
</div>
@Html.Partial("_Footer")

Loading…
Cancel
Save