iv-org-mirror/invidious-copy-2022-03-16
1
0
Fork 0
mirror of https://gitea.invidious.io/iv-org/invidious-copy-2022-03-16.git synced 2024-08-15 00:53:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add CSRF prevention for /signout

Browse source
This commit is contained in:
Omar Roth 2018-11-08 17:42:25 -06:00
parent 28f564ee4c
commit 8e6bee75e7
3 changed files with 25 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/invidious/helpers/helpers.cr
View file

@ -390,9 +390,9 @@ def extract_items(nodeset, ucid = nil)
return items
end
def create_response(user_id, operation, key)
def create_response(user_id, operation, key, expire = 6.hours)
expire = Time.now + expire
nonce = Random::Secure.hex(4)
expire = Time.now + 6.hours
challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}"
token = OpenSSL::HMAC.digest(:sha256, key, challenge)

2
src/invidious/views/template.ecr
View file

@ -67,7 +67,7 @@
</a>
</div>
<div class="pure-u-1-4">
<a href="/signout?referer=<%= env.get?("current_page") %>" class="pure-menu-heading">Sign out</a>
<a href="/signout?referer=<%= env.get?("current_page") %>&token=<%= env.get?("token") %>&challenge=<%= env.get?("challenge") %>" class="pure-menu-heading">Sign out</a>
</div>
<% else %>
<a href="/login?referer=<%= env.get?("current_page") %>" class="pure-menu-heading">Login</a>