Improved csrf protection for remote login

2021-10-03 09:58:10 +02:00 · 2021-10-03 09:58:10 +02:00 · 1c15e10ac0
parent 52be2ad4a2
commit 1c15e10ac0
3 changed files with 40 additions and 4 deletions
--- a/cps/static/js/main.js
+++ b/cps/static/js/main.js
@ -15,7 +15,6 @@
 *  along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

-
 function getPath() {
    var jsFileLocation = $("script[src*=jquery]").attr("src");  // the js file path
    return jsFileLocation.substr(0, jsFileLocation.search("/static/js/libs/jquery.min.js"));  // the js folder path
--- a/cps/static/js/remote_login.js
+++ b/cps/static/js/remote_login.js
@ -0,0 +1,36 @@
+/* This file is part of the Calibre-Web (https://github.com/janeczku/calibre-web)
+ *    Copyright (C) 2017-2021  jkrehm, OzzieIsaacs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+(function () {
+    // Poll the server to check if the user has authenticated
+    var t = setInterval(function () {
+        $.post(getPath() + "/ajax/verify_token", { token: $("#verify_url").data("token") })
+            .done(function(response) {
+                if (response.status === 'success') {
+                // Wait a tick so cookies are updated
+                setTimeout(function () {
+                    window.location.href = getPath() + '/';
+                }, 0);
+            }
+        })
+        .fail(function (xhr) {
+            clearInterval(t);
+            var response = JSON.parse(xhr.responseText);
+            alert(response.message);
+        });
+    }, 5000);
+})()
--- a/cps/templates/remote_login.html
+++ b/cps/templates/remote_login.html
@ -4,7 +4,7 @@
  <h2 style="margin-top: 0">{{_('Magic Link - Authorise New Device')}}</h2>
  <p>
    {{_('On another device, login and visit:')}}
-  <h4><a id="verify_url" href="{{verify_url}}">{{verify_url}}</a></b>
+  <h4><a id="verify_url" data-token="{{token}}" href="{{verify_url}}">{{verify_url}}</a></b>
  </h4>
  <p>
    {{_('Once verified, you will automatically be logged in on this device.')}}
@ -16,7 +16,8 @@
 {% endblock %}

 {% block js %}
-<script type="text/javascript">
+    <script src="{{ url_for('static', filename='js/remote_login.js') }}"></script>
+<!--script type="text/javascript">
  (function () {
    // Poll the server to check if the user has authenticated
    var t = setInterval(function () {
@ -37,5 +38,5 @@
        });
    }, 5000);
  })()
-</script>
+</script-->
 {% endblock %}