Refactor CSRF token (#32216)

2025-07-22 18:28:37 +00:00 · 2024-10-10 11:48:21 +08:00
parent 368b0881f5
commit dd83cfcacc
29 changed files with 90 additions and 126 deletions
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@@ -103,8 +103,8 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore

 	middleware.SetLocaleCookie(resp, user.Language, 0)

-	// Clear whatever CSRF has right now, force to generate a new one
+	// force to generate a new CSRF token
 	if ctx := gitea_context.GetWebContext(req); ctx != nil {
-		ctx.Csrf.DeleteCookie(ctx)
+		ctx.Csrf.PrepareForSessionUser(ctx)
 	}
 }
--- a/services/context/csrf.go
+++ b/services/context/csrf.go
@@ -129,10 +129,8 @@ func (c *csrfProtector) PrepareForSessionUser(ctx *Context) {
 	}

 	if needsNew {
-		// FIXME: actionId.
 		c.token = GenerateCsrfToken(c.opt.Secret, c.id, "POST", time.Now())
-		cookie := newCsrfCookie(&c.opt, c.token)
-		ctx.Resp.Header().Add("Set-Cookie", cookie.String())
+		ctx.Resp.Header().Add("Set-Cookie", newCsrfCookie(&c.opt, c.token).String())
 	}

 	ctx.Data["CsrfToken"] = c.token