summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Friesel <derf@finalrewind.org>2019-03-02 18:08:48 +0100
committerDaniel Friesel <derf@finalrewind.org>2019-03-02 18:08:48 +0100
commit856a66c0bea917af8c7efd907d2200c01bab382b (patch)
tree20a0de23381c7a1593ed37529e1fcc87022364d9
parentc6fd0a0efb8582e48d2eacafc0968938126bddd4 (diff)
implement user/password/csrf checks for login form
-rwxr-xr-xindex.pl63
-rw-r--r--templates/login.html.ep52
-rw-r--r--templates/register.html.ep16
3 files changed, 103 insertions, 28 deletions
diff --git a/index.pl b/index.pl
index ba9e338..1c32fcb 100755
--- a/index.pl
+++ b/index.pl
@@ -34,26 +34,28 @@ my %action_type = (
undo => 3,
);
-app->plugin(authentication => {
- autoload_user => 1,
- session_key => 'foodor',
- load_user => sub {
- my ($app, $uid) = @_;
- if ($uid == 1) {
- return {
- name => 'derf',
- };
- }
- return undef;
- },
- validate_user => sub {
- my ($c, $username, $password, $extradata) = @_;
- if ($username eq 'derf' and $password eq 'hallo') {
- return 1;
- }
- return undef;
- },
-});
+app->plugin(
+ authentication => {
+ autoload_user => 1,
+ session_key => 'foodor',
+ load_user => sub {
+ my ( $app, $uid ) = @_;
+ if ( $uid == 1 ) {
+ return {
+ name => 'dev',
+ };
+ }
+ return undef;
+ },
+ validate_user => sub {
+ my ( $c, $username, $password, $extradata ) = @_;
+ if ( $username eq 'dev' and $password eq 'ohai' ) {
+ return 1;
+ }
+ return undef;
+ },
+ }
+);
app->defaults( layout => 'default' );
@@ -799,6 +801,27 @@ get '/x/login' => sub {
$self->render('login');
};
+post '/x/login' => sub {
+ my ($self) = @_;
+ my $user = $self->req->param('user');
+ my $password = $self->req->param('password');
+
+ if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
+ $self->render(
+ 'login',
+ invalid => 'csrf',
+ );
+ }
+ else {
+ if ( $self->authenticate( $user, $password ) ) {
+ $self->redirect_to('/');
+ }
+ else {
+ $self->render( 'login', invalid => 'credentials' );
+ }
+ }
+};
+
get '/x/register' => sub {
my ($self) = @_;
$self->render('register');
diff --git a/templates/login.html.ep b/templates/login.html.ep
index b9b79eb..74deaef 100644
--- a/templates/login.html.ep
+++ b/templates/login.html.ep
@@ -1,18 +1,54 @@
+% if (my $invalid = stash('invalid')) {
+ <div class="row">
+ <div class="col s12">
+ <div class="card red darken-4">
+ <div class="card-content white-text">
+ % if ($invalid eq 'csrf') {
+ <span class="card-title">Ungültiger CSRF-Token</span>
+ <p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen
+ Fall von <a
+ href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>
+ handeln.</p>
+ % }
+ % elsif ($invalid eq 'credentials') {
+ <span class="card-title">Ungültige Logindaten</span>
+ <p>Falscher Account oder falsches Passwort.</p>
+ % }
+ % else {
+ <span class="card-title">Unbekannter Fehler</span>
+ <p>Das sollte nicht passieren™</p>
+ % }
+ </div>
+ </div>
+ </div>
+ </div>
+% }
<div class="row">
- <form class="col s12">
+ %= form_for '/x/login' => (class => 'col s12', method => 'POST') => begin
+ %= csrf_field
<div class="row">
<div class="input-field col s12">
<i class="material-icons prefix">account_circle</i>
- <input id="user" type="text" class="validate">
- <label for="user">User</label>
+ <input name="user" id="user" type="text" class="validate">
+ <label for="user">Account</label>
</div>
- </div>
- <div class="row">
<div class="input-field col s12">
<i class="material-icons prefix">lock</i>
- <input id="password" type="password" class="validate">
- <label for="password">Password</label>
+ <input name="password" id="password" type="password" class="validate">
+ <label for="password">Passwort</label>
+ </div>
+ </div>
+ <div class="row">
+ <div class="col s3 m3 l3">
+ </div>
+ <div class="col s6 m6 l6 center-align">
+ <button class="btn waves-effect waves-light" type="submit" name="action" value="login">
+ Anmelden
+ <i class="material-icons right">send</i>
+ </button>
+ </div>
+ <div class="col s3 m3 l3">
</div>
</div>
- </form>
+ %= end
</div>
diff --git a/templates/register.html.ep b/templates/register.html.ep
index 4431330..772d9af 100644
--- a/templates/register.html.ep
+++ b/templates/register.html.ep
@@ -36,3 +36,19 @@
</div>
%= end
</div>
+<div class="row">
+ <div class="col s12">
+ <p>
+ Die Mail-Adresse wird ausschließlich zur Bestätigung der Anmeldung
+ und für die "Passwort vergessen"-Funktionalität verwendet und nicht
+ an Dritte weitergegeben. Weitere erhobene Daten sowie deren Zweck
+ und Speicherfristen werden in der <a
+ href="/x/impressum">Datenschutzerklärung</a> beschrieben.
+ </p>
+ <p>
+ Für jeden Account wird das Datum der letzten Anmeldung gespeichert.
+ Accounts, die mehr als ein Jahr (12 Monate) nicht genutzt wurden,
+ werden automatisch und unwiderruflich gelöscht.
+ </p>
+ </div>
+</div>