src/server/rest.rs: generate csrf token if we have a valid ticket

This is important if the user reloads the browser page.
2019-04-01 07:52:30 +02:00 · 2019-04-01 07:52:30 +02:00 · 7d4ef127cb
parent 11861a482d
commit 7d4ef127cb
1 changed files with 8 additions and 1 deletions
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@ -589,11 +589,18 @@ pub fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> BoxFut {
    } else {
        // not Auth required for accessing files!

+        if method != hyper::Method::GET {
+            return Box::new(future::err(http_err!(BAD_REQUEST, format!("Unsupported method"))));
+        }
+
        if comp_len == 0 {
            let (ticket, token) = extract_auth_data(&parts.headers);
            if ticket != None {
                match check_auth(&method, &ticket, &token) {
-                    Ok(username) => return Box::new(future::ok(get_index(Some(username), token))),
+                    Ok(username) => {
+                        let new_token = assemble_csrf_prevention_token(csrf_secret(), &username);
+                        return Box::new(future::ok(get_index(Some(username), Some(new_token))));
+                    }
                    _ => return delayed_response(get_index(None, None), delay_unauth_time),
                }
            } else {