Fix(csrf): Send csrf token for the /change-password path (#535)

* Fix(csrf): Send csrf token for the `/change-password` path Signed-off-by: Kaung Zin Hein <kaungzinhein113@gmail.com> * Fix(csrf): Attach csrf-token to the HTML form Signed-off-by: Kaung Zin Hein <kaungzinhein113@gmail.com> --------- Signed-off-by: Kaung Zin Hein <kaungzinhein113@gmail.com>
curveball · Oct 5, 2024 · 683d489 · 683d489
1 parent 069e270
commit 683d489
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/src/changepassword/controller.ts b/src/changepassword/controller.ts
@@ -10,9 +10,9 @@ class ChangePasswordController extends Controller {
 
   async get(ctx: Context) {
 
+    const csrfToken = await ctx.getCsrf();
     ctx.response.type = 'text/html';
-    ctx.response.body = changePasswordForm(ctx.query.msg, ctx.query.error);
-
+    ctx.response.body = changePasswordForm(ctx.query.msg, ctx.query.error, csrfToken);
   }
 
   async post(ctx: Context<any>) {

diff --git a/src/changepassword/formats/html.ts b/src/changepassword/formats/html.ts
@@ -1,12 +1,13 @@
 import { render } from '../../templates.js';
 
-export function changePasswordForm(msg: string, error: string) {
+export function changePasswordForm(msg: string, error: string, csrfToken: string) {
 
   return render('changepassword', {
     title: 'Change Password',
     msg: msg,
     error: error,
     action: '/change-password',
+    csrfToken: csrfToken,
   });
 
 }
diff --git a/templates/changepassword.hbs b/templates/changepassword.hbs
@@ -26,6 +26,8 @@
     <p class="form-options"><a href="/">Cancel</a></p>
   </fieldset>
 
+  <input type="hidden" name="csrf-token" value="{{ csrfToken }}" />
+
   {{#each hiddenFields}}
   <input type="hidden" name="{{@key}}" value="{{this}}" />
   {{/each}}