mirror of
https://github.com/wallabag/wallabag.git
synced 2025-08-01 17:38:38 +00:00
Protect revoke_token with a CSRF token
This commit is contained in:
Yassine Guedidi
parent
d703fa6a3a
commit
ac5b5fb379
3 changed files with 33 additions and 14 deletions
|
|
@ -455,22 +455,22 @@ class ConfigController extends AbstractController
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @Route("/revoke-token", name="revoke_token")
|
* @Route("/revoke-token", name="revoke_token", methods={"POST"})
|
||||||
*
|
*
|
||||||
* @return RedirectResponse|JsonResponse
|
* @return RedirectResponse|JsonResponse
|
||||||
*/
|
*/
|
||||||
public function revokeTokenAction(Request $request)
|
public function revokeTokenAction(Request $request)
|
||||||
{
|
{
|
||||||
|
if (!$this->isCsrfTokenValid('revoke-token', $request->request->get('token'))) {
|
||||||
|
throw new BadRequestHttpException('Bad CSRF token.');
|
||||||
|
}
|
||||||
|
|
||||||
$config = $this->getConfig();
|
$config = $this->getConfig();
|
||||||
$config->setFeedToken(null);
|
$config->setFeedToken(null);
|
||||||
|
|
||||||
$this->entityManager->persist($config);
|
$this->entityManager->persist($config);
|
||||||
$this->entityManager->flush();
|
$this->entityManager->flush();
|
||||||
|
|
||||||
if ($request->isXmlHttpRequest()) {
|
|
||||||
return new JsonResponse();
|
|
||||||
}
|
|
||||||
|
|
||||||
$this->addFlash(
|
$this->addFlash(
|
||||||
'notice',
|
'notice',
|
||||||
'flashes.config.notice.feed_token_revoked'
|
'flashes.config.notice.feed_token_revoked'
|
||||||
|
|
|
||||||
|
|
@ -146,7 +146,12 @@
|
||||||
|
|
||||||
<button type="submit" class="btn-link">{{ 'config.form_feed.token_reset'|trans }}</button>
|
<button type="submit" class="btn-link">{{ 'config.form_feed.token_reset'|trans }}</button>
|
||||||
</form>
|
</form>
|
||||||
– <a href="{{ path('revoke_token') }}">{{ 'config.form_feed.token_revoke'|trans }}</a>
|
–
|
||||||
|
<form action="{{ path('revoke_token') }}" method="post" class="inline-block">
|
||||||
|
<input type="hidden" name="token" value="{{ csrf_token('revoke-token') }}"/>
|
||||||
|
|
||||||
|
<button type="submit" class="btn-link">{{ 'config.form_feed.token_revoke'|trans }}</button>
|
||||||
|
</form>
|
||||||
{% else %}
|
{% else %}
|
||||||
–
|
–
|
||||||
<form action="{{ path('generate_token') }}" method="post" class="inline-block">
|
<form action="{{ path('generate_token') }}" method="post" class="inline-block">
|
||||||
|
|
|
||||||
|
|
@ -343,15 +343,29 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
||||||
$this->logInAs('admin');
|
$this->logInAs('admin');
|
||||||
$client = $this->getTestClient();
|
$client = $this->getTestClient();
|
||||||
|
|
||||||
$client->request(
|
// set the token
|
||||||
'GET',
|
$em = $client->getContainer()->get(EntityManagerInterface::class);
|
||||||
'/revoke-token',
|
$user = $em
|
||||||
[],
|
->getRepository(User::class)
|
||||||
[],
|
->findOneByUsername('admin');
|
||||||
['HTTP_X-Requested-With' => 'XMLHttpRequest']
|
|
||||||
);
|
|
||||||
|
|
||||||
$this->assertSame(200, $client->getResponse()->getStatusCode());
|
if (!$user) {
|
||||||
|
$this->markTestSkipped('No user found in db.');
|
||||||
|
}
|
||||||
|
|
||||||
|
$config = $user->getConfig();
|
||||||
|
$config->setFeedToken('abcd1234');
|
||||||
|
$em->persist($config);
|
||||||
|
$em->flush();
|
||||||
|
|
||||||
|
$crawler = $client->request('GET', '/config');
|
||||||
|
|
||||||
|
$client->submit($crawler->selectButton('config.form_feed.token_revoke')->form());
|
||||||
|
|
||||||
|
$crawler = $client->followRedirect();
|
||||||
|
|
||||||
|
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
|
||||||
|
$this->assertStringContainsString('config.form_feed.token_create', $body[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testFeedUpdate()
|
public function testFeedUpdate()
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue