zzz/MuCats
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use synchronizer tokens. Thanks anonymousmaybe for the analysis

Browse Source
This commit is contained in:
Zlatin Balevsky
2020-05-16 06:27:03 +01:00
parent 1e318ff3dc
commit c2ce595ea3
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
grails-app/views/login/challenge.gsp
View File

@ -9,7 +9,7 @@
Prove that you are <span class="short-id">${shortID}</span><br/>
Sign the following challenge:<br>
<div class="challenge">${challenge}</div>
<g:form>
<g:form useToken="true">
<g:textField name="response"/><br/>
<input type="checkbox" name="remember-me" <g:if test="${hasCookie}">checked</g:if> /> Remember me</br>
<g:actionSubmit value="Submit" action="submitresponse"/>

2
grails-app/views/login/index.gsp
View File

@ -11,7 +11,7 @@
<center>
<h3>Copy-paste your full MuWire ID</h3>
<g:form>
<g:form useToken="true">
<g:textArea name="personaB64" rows="10" cols="60"/>
<br/>
<g:actionSubmit value="submit" action="submituser" />

16
src/main/groovy/com/muwire/mucats/security/ChallengeResponseAuthenticationFilter.groovy
View File

@ -6,6 +6,7 @@ import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import javax.servlet.http.HttpSession
import org.grails.web.servlet.mvc.SynchronizerTokensHolder
import org.springframework.security.authentication.AuthenticationManager
import org.springframework.security.core.Authentication
import org.springframework.security.core.AuthenticationException
@ -27,6 +28,21 @@ class ChallengeResponseAuthenticationFilter extends AbstractAuthenticationProces
throws AuthenticationException, IOException, ServletException {
HttpSession session = request.getSession()
SynchronizerTokensHolder tokensHolder = session.getAttribute("SYNCHRONIZER_TOKENS_HOLDER")
if (!tokensHolder)
throw new AuthenticationException("inconsistent session") {}
String url = request.getParameter("SYNCHRONIZER_URI")
String token = request.getParameter("SYNCHRONIZER_TOKEN")
boolean valid = false
if (url && token) {
valid = tokensHolder.isValid(url, token)
tokensHolder.resetToken(url,token)
}
if (!valid) {
response.sendError(403,"Duplicate form submission")
return null
}
String personaB64 = request.getParameter("personaB64")
if (personaB64 != null) {