From c1635e24fb78d981a790463cfe35ba552bcaac04 Mon Sep 17 00:00:00 2001
From: Derf Null <derf@finalrewind.org>
Date: Sun, 4 Jun 2023 19:25:24 +0200
Subject: use a separate bad_request page for CSRF errors

---
 lib/Travelynx/Controller/Account.pm     | 67 ++++++++++++++++++++++-----------
 lib/Travelynx/Controller/Api.pm         |  6 ++-
 lib/Travelynx/Controller/Traewelling.pm |  5 ++-
 lib/Travelynx/Controller/Traveling.pm   |  7 ++--
 templates/_invalid_input.html.ep        |  9 +----
 templates/bad_request.html.ep           | 19 ++++++++++
 6 files changed, 77 insertions(+), 36 deletions(-)
 create mode 100644 templates/bad_request.html.ep

diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index db8c92b..511f764 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -247,8 +247,9 @@ sub do_login {
 
 	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 		$self->render(
-			'login',
-			invalid => 'csrf',
+			'bad_request',
+			csrf   => 1,
+			status => 400
 		);
 	}
 	else {
@@ -288,8 +289,9 @@ sub register {
 
 	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 		$self->render(
-			'register',
-			invalid => 'csrf',
+			'bad_request',
+			csrf   => 1,
+			status => 400
 		);
 		return;
 	}
@@ -345,8 +347,9 @@ sub register {
 		# a human user should take at least five seconds to fill out the form.
 		# Throw a CSRF error at presumed spammers.
 		$self->render(
-			'register',
-			invalid => 'csrf',
+			'bad_request',
+			csrf   => 1,
+			status => 400
 		);
 		return;
 	}
@@ -408,8 +411,11 @@ sub delete {
 	my ($self) = @_;
 	my $uid = $self->current_user->{id};
 	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
-		$self->flash( invalid => 'csrf' );
-		$self->redirect_to('account');
+		$self->render(
+			'bad_request',
+			csrf   => 1,
+			status => 400
+		);
 		return;
 	}
 
@@ -436,7 +442,11 @@ sub delete {
 sub do_logout {
 	my ($self) = @_;
 	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
-		$self->render( 'login', invalid => 'csrf' );
+		$self->render(
+			'bad_request',
+			csrf   => 1,
+			status => 400
+		);
 		return;
 	}
 	$self->logout;
@@ -503,8 +513,9 @@ sub social {
 	if ( $self->param('action') and $self->param('action') eq 'save' ) {
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 			$self->render(
-				'social',
-				invalid => 'csrf',
+				'bad_request',
+				csrf   => 1,
+				status => 400
 			);
 			return;
 		}
@@ -724,8 +735,9 @@ sub profile {
 	if ( $self->param('action') and $self->param('action') eq 'save' ) {
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 			$self->render(
-				'edit_profile',
-				invalid => 'csrf',
+				'bad_request',
+				csrf   => 1,
+				status => 400
 			);
 			return;
 		}
@@ -908,8 +920,9 @@ sub change_mail {
 	if ( $action and $action eq 'update_mail' ) {
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 			$self->render(
-				'change_mail',
-				invalid => 'csrf',
+				'bad_request',
+				csrf   => 1,
+				status => 400
 			);
 			return;
 		}
@@ -967,9 +980,9 @@ sub change_name {
 	if ( $action and $action eq 'update_name' ) {
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 			$self->render(
-				'change_name',
-				name    => $old_name,
-				invalid => 'csrf',
+				'bad_request',
+				csrf   => 1,
+				status => 400
 			);
 			return;
 		}
@@ -1033,7 +1046,11 @@ sub change_password {
 	my $password2    = $self->req->param('newpw2');
 
 	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
-		$self->render( 'change_password', invalid => 'csrf' );
+		$self->render(
+			'bad_request',
+			csrf   => 1,
+			status => 400
+		);
 		return;
 	}
 
@@ -1074,7 +1091,11 @@ sub request_password_reset {
 
 	if ( $self->param('action') and $self->param('action') eq 'initiate' ) {
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
-			$self->render( 'recover_password', invalid => 'csrf' );
+			$self->render(
+				'bad_request',
+				csrf   => 1,
+				status => 400
+			);
 			return;
 		}
 
@@ -1131,7 +1152,11 @@ sub request_password_reset {
 		my $password2 = $self->param('newpw2');
 
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
-			$self->render( 'set_password', invalid => 'csrf' );
+			$self->render(
+				'bad_request',
+				csrf   => 1,
+				status => 400
+			);
 			return;
 		}
 		if (
diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm
index 0410fc6..0382ba8 100755
--- a/lib/Travelynx/Controller/Api.pm
+++ b/lib/Travelynx/Controller/Api.pm
@@ -567,7 +567,11 @@ sub import_v1 {
 sub set_token {
 	my ($self) = @_;
 	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
-		$self->render( 'account', invalid => 'csrf' );
+		$self->render(
+			'bad_request',
+			csrf   => 1,
+			status => 400
+		);
 		return;
 	}
 	my $token    = make_token();
diff --git a/lib/Travelynx/Controller/Traewelling.pm b/lib/Travelynx/Controller/Traewelling.pm
index 31f4a84..71df7f1 100644
--- a/lib/Travelynx/Controller/Traewelling.pm
+++ b/lib/Travelynx/Controller/Traewelling.pm
@@ -15,8 +15,9 @@ sub settings {
 		and $self->validation->csrf_protect->has_error('csrf_token') )
 	{
 		$self->render(
-			'traewelling',
-			invalid => 'csrf',
+			'bad_request',
+			csrf   => 1,
+			status => 400
 		);
 		return;
 	}
diff --git a/lib/Travelynx/Controller/Traveling.pm b/lib/Travelynx/Controller/Traveling.pm
index 5483e00..80214ab 100755
--- a/lib/Travelynx/Controller/Traveling.pm
+++ b/lib/Travelynx/Controller/Traveling.pm
@@ -1529,10 +1529,9 @@ sub visibility_form {
 	if ( $action eq 'save' ) {
 		if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
 			$self->render(
-				'edit_visibility',
-				error      => 'csrf',
-				user_level => $user_level,
-				journey    => {}
+				'bad_request',
+				csrf   => 1,
+				status => 400
 			);
 		}
 		elsif ( $dep_ts and $dep_ts != $status->{sched_departure}->epoch ) {
diff --git a/templates/_invalid_input.html.ep b/templates/_invalid_input.html.ep
index 6b0fb65..f8c4e2f 100644
--- a/templates/_invalid_input.html.ep
+++ b/templates/_invalid_input.html.ep
@@ -2,14 +2,7 @@
 	<div class="col s12">
 		<div class="card caution-color">
 			<div class="card-content white-text">
-				% if ($invalid eq 'csrf') {
-					<span class="card-title">Ungültiger CSRF-Token</span>
-					<p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen
-					Fall von <a
-					href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>
-					handeln.</p>
-				% }
-				% elsif ($invalid eq 'credentials') {
+				% if ($invalid eq 'credentials') {
 					<span class="card-title">Ungültige Logindaten</span>
 					<p>Falscher Account oder falsches Passwort.</p>
 				% }
diff --git a/templates/bad_request.html.ep b/templates/bad_request.html.ep
new file mode 100644
index 0000000..5d401da
--- /dev/null
+++ b/templates/bad_request.html.ep
@@ -0,0 +1,19 @@
+<div class="row">
+	<div class="col s12">
+		<div class="card caution-color">
+			<div class="card-content white-text">
+				<span class="card-title">400 Bad Request</span>
+				% if (stash('csrf')) {
+					<p>Ungültiger CSRF-Token. Dieser dient zum Schutz vor Cross-Site Request Forgery.</p>
+					<p>Falls du von einer externen Seite hierhin geleitet wurdest, wurde möglicherweise (erfolglos) versucht, deinen Account anzugreifen. Falls du von travelynx selbst aus hier angekommen bist, kann es sich um eine fehlerhafte Cookie-Konfiguration im Browser, eine abgelaufene Session (→ bitte nochmal versuchen) oder du einen Bug in travelynx handeln (→ bitte melden).</p>
+				% }
+				% elsif (my $m = stash('message')) {
+					<p><%= $m %></p>
+				% }
+				% else {
+					<p>Diese Anfrage ist ungültig. Ursache kann z.B. eine abgelaufene Session oder ein Bug in travelynx sein.</p>
+				% }
+			</div>
+		</div>
+	</div>
+</div>
-- 
cgit v1.2.3