Added CSRF Protection to routes

closes #135
Traewelling · Feb 14, 2021 · c6ea1e2 · c6ea1e2
1 parent 0c29c0e
commit c6ea1e2
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 18 deletions.
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -185,11 +185,17 @@ public function deleteSession(): RedirectResponse {
         return redirect()->route('static.welcome');
     }
 
-    //delete a specific session for user
-    public function deleteToken($tokenId): RedirectResponse {
-        $user  = Auth::user();
-        $token = Token::find($tokenId);
-        if ($token->user == $user) {
+    /**
+     * delete a specific session for user
+     * @param Request $request
+     * @return RedirectResponse
+     */
+    public function deleteToken(Request $request): RedirectResponse {
+        $validated = $request->validate([
+                                            'tokenId' => ['required', 'exists:oauth_access_tokens,id']
+                                        ]);
+        $token     = Token::find($validated['tokenId']);
+        if ($token->user->id == Auth::user()->id) {
             $token->revoke();
         }
         return redirect()->route('settings');

diff --git a/resources/views/settings.blade.php b/resources/views/settings.blade.php
@@ -20,9 +20,9 @@ class="col-md-4 col-form-label text-md-right">{{ __('settings.picture') }}</labe
                                 <div class="col-md-6 text-center">
                                     <div class="image-box">
                                         <img
-                                            src="{{ route('account.showProfilePicture', ['username' => $user->username]) }}"
-                                            style="max-width: 96px" alt="{{__('settings.picture')}}" class="pb-2"
-                                            id="theProfilePicture"/>
+                                                src="{{ route('account.showProfilePicture', ['username' => $user->username]) }}"
+                                                style="max-width: 96px" alt="{{__('settings.picture')}}" class="pb-2"
+                                                id="theProfilePicture"/>
                                     </div>
 
                                     <a href="#" class="btn btn-primary" data-toggle="modal"
@@ -295,7 +295,7 @@ class="btn btn-sm btn-outline-danger disconnect">{{ __('settings.disconnect') }}
                                                            aria-describedby="button-addon4">
                                                     <div id="button-addon4" class="input-group-append">
                                                         <button class="btn btn-md btn-primary m-0 px-3" type="submit"><i
-                                                                class="fab fa-mastodon"></i> {{ __('settings.connect') }}
+                                                                    class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                                                         </button>
                                                     </div>
                                                 </div>
@@ -323,7 +323,7 @@ class="btn btn-sm btn-primary">{{ __('settings.connect') }}</a></td>
                                                        aria-describedby="button-addon4">
                                                 <div id="button-addon4" class="input-group-append">
                                                     <button class="btn btn-md btn-primary m-0 px-3" type="submit"><i
-                                                            class="fab fa-mastodon"></i> {{ __('settings.connect') }}
+                                                                class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                                                     </button>
                                                 </div>
                                             </div>
@@ -359,8 +359,13 @@ class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                             @endforeach
 
                         </table>
-                        <a href="{{ route('delsession') }}" class="btn btn-block btn-outline-danger mx-0"
-                           role="button">{{ __('settings.deleteallsessions') }}</a>
+                        <form method="POST" action="{{ route('delsession') }}">
+                            @csrf
+                            <button type="submit" class="btn btn-block btn-outline-danger mx-0">
+                                {{ __('settings.deleteallsessions') }}
+                            </button>
+                        </form>
+
                     </div>
                 </div>
 
@@ -389,10 +394,15 @@ class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                                         <td>{{ $token['updated_at'] }}</td>
                                         <td>{{ $token['expires_at'] }}</td>
                                         <td>
-                                            <a href="{{ route('deltoken', ['id' => $token['id']]) }}"
-                                               alt="{{ __('settings.deletetokenfor') }}  {{ $token['clientName'] }}"
-                                               class="btn btn-block btn-danger mx-0"
-                                               role="button"><i class="fas fa-trash"></i></a></td>
+                                            <form method="POST" action="{{ route('deltoken') }}">
+                                                @csrf
+                                                <input type="hidden" name="tokenId" value="{{$token['id']}}"/>
+                                                <button class="btn btn-block btn-danger mx-0" role="button">
+                                                    <i class="fas fa-trash"></i>
+                                                </button>
+                                            </form>
+
+                                        </td>
                                     </tr>
                                 @endforeach
                             </table>

diff --git a/routes/web.php b/routes/web.php
@@ -140,10 +140,10 @@
     Route::get('/settings/deleteProfilePicture', [UserController::class, 'deleteProfilePicture'])
          ->name('settings.delete-profile-picture');
 
-    Route::get('/settings/delsession', [UserController::class, 'deleteSession'])
+    Route::post('/settings/delsession', [UserController::class, 'deleteSession'])
          ->name('delsession');
 
-    Route::get('/settings/deltoken/{id}', [UserController::class, 'deleteToken'])
+    Route::post('/settings/deltoken', [UserController::class, 'deleteToken'])
          ->name('deltoken');
 
     Route::get('/dashboard', [FrontendStatusController::class, 'getDashboard'])