root
/
threadr.lostcave.ddnss.de
3
1
Fork 2
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Add CSRF checks to signup.

jocadbz
Joca 2026-03-06 14:51:14 -03:00
parent ff4e05fd0b
commit 48363ccef9
Signed by: jocadbz
GPG Key ID: B1836DCE2F50BDF7
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
handlers/signup.go
View File

@ -12,6 +12,11 @@ func SignupHandler(app *App) http.HandlerFunc {
session := r.Context().Value("session").(*sessions.Session) session := r.Context().Value("session").(*sessions.Session)
cookie, _ := r.Cookie("threadr_cookie_banner") cookie, _ := r.Cookie("threadr_cookie_banner")
if r.Method == http.MethodPost { if r.Method == http.MethodPost {
if !app.validateCSRFToken(r, session) {
http.Error(w, "Invalid CSRF token", http.StatusForbidden)
return
}
username := r.FormValue("username") username := r.FormValue("username")
password := r.FormValue("password") password := r.FormValue("password")
passwordConfirm := r.FormValue("password_confirm") passwordConfirm := r.FormValue("password_confirm")
@ -31,6 +36,7 @@ func SignupHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir, BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static", StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(), CurrentURL: r.URL.RequestURI(),
CSRFToken: app.csrfToken(session),
}, },
Error: "Passwords do not match. Please try again.", Error: "Passwords do not match. Please try again.",
} }
@ -57,6 +63,7 @@ func SignupHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir, BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static", StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(), CurrentURL: r.URL.RequestURI(),
CSRFToken: app.csrfToken(session),
}, },
Error: "An error occurred during sign up. Please try again.", Error: "An error occurred during sign up. Please try again.",
} }
@ -82,6 +89,7 @@ func SignupHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir, BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static", StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(), CurrentURL: r.URL.RequestURI(),
CSRFToken: app.csrfToken(session),
}, },
Error: "", Error: "",
} }

3
templates/pages/signup.html
View File

@ -17,6 +17,7 @@
<p class="field-error" style="text-align: center; font-size: 1em;">{{.Error}}</p> <p class="field-error" style="text-align: center; font-size: 1em;">{{.Error}}</p>
{{end}} {{end}}
<form method="post" action="{{.BasePath}}/signup/"> <form method="post" action="{{.BasePath}}/signup/">
<input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
<label for="username">Username:</label> <label for="username">Username:</label>
<input type="text" id="username" name="username" required autocomplete="username" minlength="3" maxlength="30"><br> <input type="text" id="username" name="username" required autocomplete="username" minlength="3" maxlength="30"><br>
<label for="password">Password:</label> <label for="password">Password:</label>
@ -30,4 +31,4 @@
{{template "cookie_banner" .}} {{template "cookie_banner" .}}
</body> </body>
</html> </html>
{{end}} {{end}}