Fix the signup form to work with httpOnly CSRF cookies

2025-03-16 21:23:36 +00:00 · 2023-02-14 14:20:27 +02:00 · 2023-02-14 14:20:27 +02:00 · c8750ad05b
commit c8750ad05b
parent 8531ef89b5
2 changed files with 21 additions and 23 deletions
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -20,10 +20,11 @@ from django.core.signing import BadSignature, SignatureExpired, TimestampSigner
 from django.db import transaction
 from django.db.models.functions import Lower
 from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseForbidden
+from django.middleware import csrf
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import Resolver404, resolve, reverse
 from django.utils.timezone import now
-from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
+from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST

 from hc.accounts import forms
@ -192,12 +193,11 @@ def logout(request):
    return redirect("hc-index")


-@ensure_csrf_cookie
 def signup_csrf(request):
    if not settings.REGISTRATION_OPEN or request.user.is_authenticated:
        return HttpResponseForbidden()

-    return HttpResponse()
+    return HttpResponse(csrf.get_token(request))


@require_POST
--- a/static/js/signup.js
+++ b/static/js/signup.js
@ -2,12 +2,6 @@ window.addEventListener("DOMContentLoaded", function(e) {
    var email = document.getElementById("signup-email");
    var submitBtn = document.getElementById("signup-go");

-    function getCsrfToken() {
-        var kv = document.cookie.split("; ").find(s => s.startsWith("csrftoken="));
-        if (kv)
-           return kv.split("=")[1];
-    }
-
    function getTz() {
        try {
            return Intl.DateTimeFormat().resolvedOptions().timeZone;
@ -23,20 +17,24 @@ window.addEventListener("DOMContentLoaded", function(e) {
        submitBtn.disabled = true;

        var base = document.getElementById("base-url").getAttribute("href").slice(0, -1);
-        fetch(base + "/accounts/signup/csrf/").then(function() {
-            var payload = new FormData();
-            payload.append("identity", email.value);
-            payload.append("tz", getTz());
-            payload.append("csrfmiddlewaretoken", getCsrfToken());
-            fetch(base + "/accounts/signup/", {method: "POST", body: payload})
-                .then(response => response.text())
-                .then(text => {
-                    var resultLine = document.getElementById("signup-result");
-                    resultLine.innerHTML = text;
-                    resultLine.style.display = "block";
-                    submitBtn.disabled = false;
-                });
-        })
+        fetch(base + "/accounts/signup/csrf/")
+            .then(response => response.text())
+            .then(csrfToken => {
+                var payload = new FormData();
+                payload.append("identity", email.value);
+                payload.append("tz", getTz());
+                payload.append("csrfmiddlewaretoken", csrfToken);
+                fetch(base + "/accounts/signup/", {method: "POST", body: payload})
+                    .then(response => response.text())
+                    .then(text => {
+                        var resultLine = document.getElementById("signup-result");
+                        resultLine.innerHTML = text;
+                        resultLine.style.display = "block";
+                        submitBtn.disabled = false;
+                    });
+
+            });
+
        return false;
    }