mirror of
https://github.com/healthchecks/healthchecks.git
synced 2025-03-16 21:23:36 +00:00
Fix the signup form to work with httpOnly CSRF cookies
This commit is contained in:
parent
8531ef89b5
commit
c8750ad05b
2 changed files with 21 additions and 23 deletions
|
@ -20,10 +20,11 @@ from django.core.signing import BadSignature, SignatureExpired, TimestampSigner
|
|||
from django.db import transaction
|
||||
from django.db.models.functions import Lower
|
||||
from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseForbidden
|
||||
from django.middleware import csrf
|
||||
from django.shortcuts import get_object_or_404, redirect, render
|
||||
from django.urls import Resolver404, resolve, reverse
|
||||
from django.utils.timezone import now
|
||||
from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
from django.views.decorators.http import require_POST
|
||||
|
||||
from hc.accounts import forms
|
||||
|
@ -192,12 +193,11 @@ def logout(request):
|
|||
return redirect("hc-index")
|
||||
|
||||
|
||||
@ensure_csrf_cookie
|
||||
def signup_csrf(request):
|
||||
if not settings.REGISTRATION_OPEN or request.user.is_authenticated:
|
||||
return HttpResponseForbidden()
|
||||
|
||||
return HttpResponse()
|
||||
return HttpResponse(csrf.get_token(request))
|
||||
|
||||
|
||||
@require_POST
|
||||
|
|
|
@ -2,12 +2,6 @@ window.addEventListener("DOMContentLoaded", function(e) {
|
|||
var email = document.getElementById("signup-email");
|
||||
var submitBtn = document.getElementById("signup-go");
|
||||
|
||||
function getCsrfToken() {
|
||||
var kv = document.cookie.split("; ").find(s => s.startsWith("csrftoken="));
|
||||
if (kv)
|
||||
return kv.split("=")[1];
|
||||
}
|
||||
|
||||
function getTz() {
|
||||
try {
|
||||
return Intl.DateTimeFormat().resolvedOptions().timeZone;
|
||||
|
@ -23,20 +17,24 @@ window.addEventListener("DOMContentLoaded", function(e) {
|
|||
submitBtn.disabled = true;
|
||||
|
||||
var base = document.getElementById("base-url").getAttribute("href").slice(0, -1);
|
||||
fetch(base + "/accounts/signup/csrf/").then(function() {
|
||||
var payload = new FormData();
|
||||
payload.append("identity", email.value);
|
||||
payload.append("tz", getTz());
|
||||
payload.append("csrfmiddlewaretoken", getCsrfToken());
|
||||
fetch(base + "/accounts/signup/", {method: "POST", body: payload})
|
||||
.then(response => response.text())
|
||||
.then(text => {
|
||||
var resultLine = document.getElementById("signup-result");
|
||||
resultLine.innerHTML = text;
|
||||
resultLine.style.display = "block";
|
||||
submitBtn.disabled = false;
|
||||
});
|
||||
})
|
||||
fetch(base + "/accounts/signup/csrf/")
|
||||
.then(response => response.text())
|
||||
.then(csrfToken => {
|
||||
var payload = new FormData();
|
||||
payload.append("identity", email.value);
|
||||
payload.append("tz", getTz());
|
||||
payload.append("csrfmiddlewaretoken", csrfToken);
|
||||
fetch(base + "/accounts/signup/", {method: "POST", body: payload})
|
||||
.then(response => response.text())
|
||||
.then(text => {
|
||||
var resultLine = document.getElementById("signup-result");
|
||||
resultLine.innerHTML = text;
|
||||
resultLine.style.display = "block";
|
||||
submitBtn.disabled = false;
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue