diff options
author | Steven Barth <steven@midlink.org> | 2008-12-14 21:43:10 +0000 |
---|---|---|
committer | Steven Barth <steven@midlink.org> | 2008-12-14 21:43:10 +0000 |
commit | 271c53a4af7a79414a440b3a4d90ef7dbc48fd77 (patch) | |
tree | 34223ecf89d402db4b5222e1e2ee70f738a5e53b /modules | |
parent | 509a3daadbfcd9cbe550ff9c70a6f7af55dd2a0f (diff) |
Implement URL tokens
Add basic XSRF protection
Diffstat (limited to 'modules')
-rw-r--r-- | modules/rpc/luasrc/controller/rpc.lua | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua index 2eef7a0eb..d83c26d45 100644 --- a/modules/rpc/luasrc/controller/rpc.lua +++ b/modules/rpc/luasrc/controller/rpc.lua @@ -52,20 +52,33 @@ function rpc_auth() local http = require "luci.http" local sys = require "luci.sys" local ltn12 = require "luci.ltn12" + local util = require "luci.util" local loginstat local server = {} - server.login = function(user, pass) - local sid - + server.challenge = function(user, pass) + local sid, token, secret + if sys.user.checkpasswd(user, pass) then sid = sys.uniqueid(16) + token = sys.uniqueid(16) + secret = sys.uniqueid(16) + http.header("Set-Cookie", "sysauth=" .. sid.."; path=/") - sauth.write(sid, user) + sauth.write(sid, util.get_bytecode({ + user=user, + token=token, + secret=secret + })) end - return sid + return sid and {sid=sid, token=token, secret=secret} + end + + server.login = function(...) + local challenge = server.challenge(...) + return challenge and challenge.sid end http.prepare_content("application/json") |