From 7d4ef127cbd53ca11e2b2b26a46b28a0bd9c54a7 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Mon, 1 Apr 2019 07:52:30 +0200 Subject: [PATCH] src/server/rest.rs: generate csrf token if we have a valid ticket This is important if the user reloads the browser page. --- src/server/rest.rs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/server/rest.rs b/src/server/rest.rs index 022155db..44e9943f 100644 --- a/src/server/rest.rs +++ b/src/server/rest.rs @@ -589,11 +589,18 @@ pub fn handle_request(api: Arc, req: Request) -> BoxFut { } else { // not Auth required for accessing files! + if method != hyper::Method::GET { + return Box::new(future::err(http_err!(BAD_REQUEST, format!("Unsupported method")))); + } + if comp_len == 0 { let (ticket, token) = extract_auth_data(&parts.headers); if ticket != None { match check_auth(&method, &ticket, &token) { - Ok(username) => return Box::new(future::ok(get_index(Some(username), token))), + Ok(username) => { + let new_token = assemble_csrf_prevention_token(csrf_secret(), &username); + return Box::new(future::ok(get_index(Some(username), Some(new_token)))); + } _ => return delayed_response(get_index(None, None), delay_unauth_time), } } else {