From 856a66c0bea917af8c7efd907d2200c01bab382b Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Sat, 2 Mar 2019 18:08:48 +0100
Subject: implement user/password/csrf checks for login form

---
 index.pl | 63 +++++++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 43 insertions(+), 20 deletions(-)

(limited to 'index.pl')

diff --git a/index.pl b/index.pl
index ba9e338..1c32fcb 100755
--- a/index.pl
+++ b/index.pl
@@ -34,26 +34,28 @@ my %action_type = (
 	undo     => 3,
 );
 
-app->plugin(authentication => {
-	autoload_user => 1,
-	session_key => 'foodor',
-	load_user => sub {
-		my ($app, $uid) = @_;
-		if ($uid == 1) {
-			return {
-				name => 'derf',
-			};
-		}
-		return undef;
-	},
-	validate_user => sub {
-		my ($c, $username, $password, $extradata) = @_;
-		if ($username eq 'derf' and $password eq 'hallo') {
-			return 1;
-		}
-		return undef;
-	},
-});
+app->plugin(
+	authentication => {
+		autoload_user => 1,
+		session_key   => 'foodor',
+		load_user     => sub {
+			my ( $app, $uid ) = @_;
+			if ( $uid == 1 ) {
+				return {
+					name => 'dev',
+				};
+			}
+			return undef;
+		},
+		validate_user => sub {
+			my ( $c, $username, $password, $extradata ) = @_;
+			if ( $username eq 'dev' and $password eq 'ohai' ) {
+				return 1;
+			}
+			return undef;
+		},
+	}
+);
 
 app->defaults( layout => 'default' );
 
@@ -799,6 +801,27 @@ get '/x/login' => sub {
 	$self->render('login');
 };
 
+post '/x/login' => sub {
+	my ($self)   = @_;
+	my $user     = $self->req->param('user');
+	my $password = $self->req->param('password');
+
+	if ( $self->validation->csrf_protect->has_error('csrf_token') ) {
+		$self->render(
+			'login',
+			invalid => 'csrf',
+		);
+	}
+	else {
+		if ( $self->authenticate( $user, $password ) ) {
+			$self->redirect_to('/');
+		}
+		else {
+			$self->render( 'login', invalid => 'credentials' );
+		}
+	}
+};
+
 get '/x/register' => sub {
 	my ($self) = @_;
 	$self->render('register');
-- 
cgit v1.2.3