Fix 403 errors after signup

Closes #2819 - Keep around the _csrfSecret on the session after regenerating
TryGhost · May 27, 2014 · dc58d69 · dc58d69
1 parent 40d4cc7
commit dc58d69
Showing 1 changed file with 23 additions and 11 deletions.
diff --git a/core/server/controllers/admin.js b/core/server/controllers/admin.js
@@ -216,8 +216,13 @@ adminControllers = {
         if (!denied) {
             loginSecurity.push({ip: remoteAddress, time: currentTime});
             api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) {
+                // Carry over the csrf secret
+                var existingSecret = req.session._csrfSecret;
+
                 req.session.regenerate(function (err) {
                     if (!err) {
+                        req.session._csrfSecret = existingSecret;
+
                         req.session.user = user.id;
                         req.session.userData = user.attributes;
 
@@ -254,7 +259,7 @@ adminControllers = {
     // Route: doSignup
     // Path: /ghost/signup/
     // Method: POST
-    'doSignup': function (req, res) {
+    'doSignup': function (req, res, next) {
         var name = req.body.name,
             email = req.body.email,
             password = req.body.password,
@@ -285,7 +290,8 @@ adminControllers = {
                             message: message,
                             options: {}
                         }]
-                    };
+                    },
+                    existingSecret;
 
                 api.mail.send(payload).otherwise(function (error) {
                     errors.logError(
@@ -295,18 +301,24 @@ adminControllers = {
                     );
                 });
 
+                // Carry over the csrf secret
+                existingSecret = req.session._csrfSecret;
                 req.session.regenerate(function (err) {
-                    if (!err) {
-                        if (req.session.user === undefined) {
-                            req.session.user = user.id;
-                            req.session.userData = user;
-                        }
+                    if (err) {
+                        return next(err);
+                    }
 
-                        res.json(200, {
-                            redirect: config().paths.subdir + '/ghost/',
-                            userData: req.session.userData
-                        });
+                    req.session._csrfSecret = existingSecret;
+
+                    if (req.session.user === undefined) {
+                        req.session.user = user.id;
+                        req.session.userData = user;
                     }
+
+                    res.json(200, {
+                        redirect: config().paths.subdir + '/ghost/',
+                        userData: req.session.userData
+                    });
                 });
             });
         }).otherwise(function (error) {