From 7d4ef127cbd53ca11e2b2b26a46b28a0bd9c54a7 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 1 Apr 2019 07:52:30 +0200
Subject: [PATCH] src/server/rest.rs: generate csrf token if we have a valid
 ticket

This is important if the user reloads the browser page.
---
 src/server/rest.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/server/rest.rs b/src/server/rest.rs
index 022155db..44e9943f 100644
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@@ -589,11 +589,18 @@ pub fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> BoxFut {
     } else {
         // not Auth required for accessing files!
 
+        if method != hyper::Method::GET {
+            return Box::new(future::err(http_err!(BAD_REQUEST, format!("Unsupported method"))));
+        }
+
         if comp_len == 0 {
             let (ticket, token) = extract_auth_data(&parts.headers);
             if ticket != None {
                 match check_auth(&method, &ticket, &token) {
-                    Ok(username) => return Box::new(future::ok(get_index(Some(username), token))),
+                    Ok(username) => {
+                        let new_token = assemble_csrf_prevention_token(csrf_secret(), &username);
+                        return Box::new(future::ok(get_index(Some(username), Some(new_token))));
+                    }
                     _ => return delayed_response(get_index(None, None), delay_unauth_time),
                 }
             } else {