0
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2025-03-16 21:23:36 +00:00

Fix the signup form to work with httpOnly CSRF cookies

This commit is contained in:
Pēteris Caune 2023-02-14 14:20:27 +02:00
parent 8531ef89b5
commit c8750ad05b
No known key found for this signature in database
GPG key ID: E28D7679E9A9EDE2
2 changed files with 21 additions and 23 deletions
hc/accounts
static/js

View file

@ -20,10 +20,11 @@ from django.core.signing import BadSignature, SignatureExpired, TimestampSigner
from django.db import transaction
from django.db.models.functions import Lower
from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseForbidden
from django.middleware import csrf
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import Resolver404, resolve, reverse
from django.utils.timezone import now
from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.http import require_POST
from hc.accounts import forms
@ -192,12 +193,11 @@ def logout(request):
return redirect("hc-index")
@ensure_csrf_cookie
def signup_csrf(request):
if not settings.REGISTRATION_OPEN or request.user.is_authenticated:
return HttpResponseForbidden()
return HttpResponse()
return HttpResponse(csrf.get_token(request))
@require_POST

View file

@ -2,12 +2,6 @@ window.addEventListener("DOMContentLoaded", function(e) {
var email = document.getElementById("signup-email");
var submitBtn = document.getElementById("signup-go");
function getCsrfToken() {
var kv = document.cookie.split("; ").find(s => s.startsWith("csrftoken="));
if (kv)
return kv.split("=")[1];
}
function getTz() {
try {
return Intl.DateTimeFormat().resolvedOptions().timeZone;
@ -23,20 +17,24 @@ window.addEventListener("DOMContentLoaded", function(e) {
submitBtn.disabled = true;
var base = document.getElementById("base-url").getAttribute("href").slice(0, -1);
fetch(base + "/accounts/signup/csrf/").then(function() {
var payload = new FormData();
payload.append("identity", email.value);
payload.append("tz", getTz());
payload.append("csrfmiddlewaretoken", getCsrfToken());
fetch(base + "/accounts/signup/", {method: "POST", body: payload})
.then(response => response.text())
.then(text => {
var resultLine = document.getElementById("signup-result");
resultLine.innerHTML = text;
resultLine.style.display = "block";
submitBtn.disabled = false;
});
})
fetch(base + "/accounts/signup/csrf/")
.then(response => response.text())
.then(csrfToken => {
var payload = new FormData();
payload.append("identity", email.value);
payload.append("tz", getTz());
payload.append("csrfmiddlewaretoken", csrfToken);
fetch(base + "/accounts/signup/", {method: "POST", body: payload})
.then(response => response.text())
.then(text => {
var resultLine = document.getElementById("signup-result");
resultLine.innerHTML = text;
resultLine.style.display = "block";
submitBtn.disabled = false;
});
});
return false;
}