Add CSRF check on login and logout

[LukasReschke]

This is a minor issue and not worth a backport in my opinion as it could break more things than it's worth having it.

[ghost]

🚀 Test Passed. 🚀
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/4550/

[LukasReschke]

@PVince81 @bantu @karlitschek
May I ask you to review this? - Testing is trivial. Just verify that the login and logout is still working :-)
(Additionally you can remove the token from the request to see the CSRF exception triggered)

The reason for this change is that an attacker may force the victim to send a crafted logout request and then a login request with the attackers credentials. A users could then be tricked to upload/modify data without knowing that he is logged into another account => the attacker is able to access this data too.
Since this involves massive user interaction I do not consider this worth a backport.

[karlitschek]

makes sense. Can´t test at the moment 👍

[PVince81]

Is there some regression testing to be done here as well ?
In the past we had cases where people had the "remember me" cookie set but after upgrading they got a message about a possible CSRF and couldn't login any more.

I suppose this here might need upgrade testing as well, then ?

[PVince81]

Ok, it looks like this one doesn't involve cookies.
I'll test logging in and out.

[PVince81]

In general it seems to work but I found a corner case:

1. Login
2. Clear cookies to kill the session
3. From the still visible OC window, select "Log out"
4. In the login page, login again
5. A JSON message appears "Token expired".

This is because the login page tries to redirect to the "logout" URL from step 3)

[LukasReschke]

@PVince81 Nice catch! - Could have created some confusions in case a session was invalidated due to timeout/whatever.

I've added a commit to prevent that situation. Please review.

[ghost]

🚀 Test Passed. 🚀
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/4688/

[DeepDiver1975]

rebased - tested 👍

[scrutinizer-notifier]

The inspection completed: 4 new issues

[ghost]

💣 Test Failed. 💣
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/4870/

[LukasReschke]

@blizzz My 🔮 said you'd be happy to review this!

[DeepDiver1975]

@owncloud-bot retest this please

[ghost]

💣 Test Failed. 💣
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/5178/

[DeepDiver1975]

@owncloud-bot retest this please

[ghost]

🚀 Test Passed. 🚀
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/5179/

[PVince81]

👍 works, also works with the case mentionned in #8443 (comment)