mirror of
https://git.sr.ht/~cadence/bibliogram
synced 2024-11-21 15:47:29 +00:00
Remove CSRF protection
This commit is contained in:
parent
a6094a37ec
commit
6b667f5f00
@ -41,7 +41,24 @@ function getSettings(req) {
|
||||
return addDefaults()
|
||||
}
|
||||
|
||||
/*
|
||||
* CSRF tokens were previously used here to reduce an attack vector, but have now been removed.
|
||||
*
|
||||
* In a CSRF attack, an attack with a website can forge POST requests to Bibliogram that execute in the visitor's browser. Since the request is first-party, it will include cookies. Therefore a crafted form could override the user's preferences.
|
||||
*
|
||||
* This was removed because:
|
||||
* - Instance redirector extensions can now issue a POST to set consistent preferences
|
||||
* - The chance of somebody choosing to troll visitors is low
|
||||
* - The impact if this occurs is low: the worst that can happen is somebody's preferences are erased, which they can simply change back
|
||||
* - The more popular Invidious does not see it necessary to use CSRF protection
|
||||
* - The implementation wasn't totally secure anyway.
|
||||
*
|
||||
* The code remains, but generateCSRF and checkCSRF have been set to always accept.
|
||||
*/
|
||||
|
||||
function generateCSRF() {
|
||||
return "x"
|
||||
|
||||
const token = crypto.randomBytes(16).toString("hex")
|
||||
const expires = Date.now() + constants.caching.csrf_time
|
||||
db.prepare("INSERT INTO CSRFTokens (token, expires) VALUES (?, ?)").run(token, expires)
|
||||
@ -49,6 +66,8 @@ function generateCSRF() {
|
||||
}
|
||||
|
||||
function checkCSRF(token) {
|
||||
return true
|
||||
|
||||
const row = db.prepare("SELECT * FROM CSRFTokens WHERE token = ? AND expires > ?").get(token, Date.now())
|
||||
if (row) {
|
||||
db.prepare("DELETE FROM CSRFTokens WHERE token = ?").run(token)
|
||||
|
Loading…
Reference in New Issue
Block a user