Implement URL tokens

Add basic XSRF protection
author: Steven Barth <steven@midlink.org> 2008-12-14 21:43:10 +0000
committer: Steven Barth <steven@midlink.org> 2008-12-14 21:43:10 +0000
commit: 271c53a4af7a79414a440b3a4d90ef7dbc48fd77 (patch)
tree: 34223ecf89d402db4b5222e1e2ee70f738a5e53b /modules/rpc
parent: 509a3daadbfcd9cbe550ff9c70a6f7af55dd2a0f (diff)
1 files changed, 18 insertions, 5 deletions
diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua
index 2eef7a0eb..d83c26d45 100644
--- a/modules/rpc/luasrc/controller/rpc.lua
+++ b/modules/rpc/luasrc/controller/rpc.lua
@@ -52,20 +52,33 @@ function rpc_auth()
 	local http    = require "luci.http"
 	local sys     = require "luci.sys"
 	local ltn12   = require "luci.ltn12"
+	local util    = require "luci.util"
 	
 	local loginstat
 	
 	local server = {}
-	server.login = function(user, pass)
-		local sid
-		
+	server.challenge = function(user, pass)
+		local sid, token, secret
+
 		if sys.user.checkpasswd(user, pass) then
 			sid = sys.uniqueid(16)
+			token = sys.uniqueid(16)
+			secret = sys.uniqueid(16)
+
 			http.header("Set-Cookie", "sysauth=" .. sid.."; path=/")
-			sauth.write(sid, user)
+			sauth.write(sid, util.get_bytecode({
+				user=user,
+				token=token,
+				secret=secret
+			}))
 		end
 		
-		return sid
+		return sid and {sid=sid, token=token, secret=secret}
+	end
+
+	server.login = function(...)
+		local challenge = server.challenge(...)
+		return challenge and challenge.sid
 	end
 	
 	http.prepare_content("application/json")
author	Steven Barth <steven@midlink.org>	2008-12-14 21:43:10 +0000
committer	Steven Barth <steven@midlink.org>	2008-12-14 21:43:10 +0000
commit	271c53a4af7a79414a440b3a4d90ef7dbc48fd77 (patch)
tree	34223ecf89d402db4b5222e1e2ee70f738a5e53b /modules/rpc
parent	509a3daadbfcd9cbe550ff9c70a6f7af55dd2a0f (diff)