Merge pull request #1176 from lethjakman/auth_set_password_csrf

Auth password handler CSRF

yesod-auth/Yesod/Auth/Email.hs

@@ -107,6 +107,7 @@ data EmailCreds site = EmailCreds
     , emailCredsEmail  :: Email
     }
 
+data PasswordForm = PasswordForm { passwordCurrent :: Text, passwordNew :: Text, passwordConfirm :: Text }
 data UserForm = UserForm { email :: Text }
 data UserLoginForm = UserLoginForm { loginEmail :: Text, loginPassword :: Text }
 
@@ -516,40 +517,77 @@ getPasswordR = do
 -- Since: 1.2.6
 defaultSetPasswordHandler :: YesodAuthEmail master => Bool -> AuthHandler master TypedContent
 defaultSetPasswordHandler needOld = do
-    tp <- getRouteToParent
+    messageRender <- lift getMessageRender
-    pass0 <- newIdent
+    toParent <- getRouteToParent
-    pass1 <- newIdent
-    pass2 <- newIdent
-    mr <- lift getMessageRender
     selectRep $ do
-      provideJsonMessage $ mr Msg.SetPass
+        provideJsonMessage $ messageRender Msg.SetPass
-      provideRep $ lift $ authLayout $ do
+        provideRep $ lift $ authLayout $ do
-          setTitleI Msg.SetPassTitle
+            ((_,widget),enctype) <- liftWidgetT $ runFormPost $ setPasswordForm needOld
-          [whamlet|
+            setTitleI Msg.SetPassTitle
-$newline never
+            [whamlet|
-<h3>_{Msg.SetPass}
+                <h3>_{Msg.SetPass}
-<form method="post" action="@{tp setpassR}">
+                <form method="post" action="@{toParent setpassR}">
-    <table>
+                    ^{widget}
-        $if needOld
+            |]
-            <tr>
+  where
-                <th>
+    setPasswordForm needOld extra = do
-                    <label for=#{pass0}>Current Password
+        (currentPasswordRes, currentPasswordView) <- mreq passwordField currentPasswordSettings Nothing
-                <td>
+        (newPasswordRes, newPasswordView) <- mreq passwordField newPasswordSettings Nothing
-                    <input ##{pass0} type="password" name="current" autofocus>
+        (confirmPasswordRes, confirmPasswordView) <- mreq passwordField confirmPasswordSettings Nothing
-        <tr>
+
-            <th>
+        let passwordFormRes = PasswordForm <$> currentPasswordRes <*> newPasswordRes <*> confirmPasswordRes
-                <label for=#{pass1}>_{Msg.NewPass}
+        let widget = do
-            <td>
+            [whamlet|
-                <input ##{pass1} type="password" name="new" :not needOld:autofocus>
+                #{extra}
-        <tr>
+                <table>
-            <th>
+                    $if needOld
-                <label for=#{pass2}>_{Msg.ConfirmPass}
+                        <tr>
-            <td>
+                            <th>
-                <input ##{pass2} type="password" name="confirm">
+                                ^{fvLabel currentPasswordView}
-        <tr>
+                            <td>
-            <td colspan="2">
+                                ^{fvInput currentPasswordView}
-                <input type="submit" value=_{Msg.SetPassTitle}>
+                    <tr>
-|]
+                        <th>
+                            ^{fvLabel newPasswordView}
+                        <td>
+                            ^{fvInput newPasswordView}
+                    <tr>
+                        <th>
+                            ^{fvLabel confirmPasswordView}
+                        <td>
+                            ^{fvInput confirmPasswordView}
+                    <tr>
+                        <td colspan="2">
+                            <input type=submit value=_{Msg.SetPassTitle}>
+            |]
+
+        return (passwordFormRes, widget)
+    currentPasswordSettings =
+         FieldSettings {
+             fsLabel = SomeMessage Msg.CurrentPassword,
+             fsTooltip = Nothing,
+             fsId = Just "currentPassword",
+             fsName = Just "current",
+             fsAttrs = [("autofocus", "")]
+         }
+    newPasswordSettings =
+        FieldSettings {
+            fsLabel = SomeMessage Msg.NewPass,
+            fsTooltip = Nothing,
+            fsId = Just "newPassword",
+            fsName = Just "new",
+            fsAttrs = [("autofocus", ""), (":not", ""), ("needOld:autofocus", "")]
+        }
+    confirmPasswordSettings =
+        FieldSettings {
+            fsLabel = SomeMessage Msg.ConfirmPass,
+            fsTooltip = Nothing,
+            fsId = Just "confirmPassword",
+            fsName = Just "confirm",
+            fsAttrs = [("autofocus", "")]
+        }
+
+
 
 postPasswordR :: YesodAuthEmail master => HandlerT Auth (HandlerT master IO) TypedContent
 postPasswordR = do

yesod-auth/Yesod/Auth/Message.hs

@@ -60,6 +60,7 @@ data AuthMessage =
     | ProvideIdentifier
     | SendPasswordResetEmail
     | PasswordResetPrompt
+    | CurrentPassword
     | InvalidUsernamePass
     | Logout
     | LogoutTitle
@@ -78,6 +79,7 @@ englishMessage LoginYahoo = "Login via Yahoo"
 englishMessage Email = "Email"
 englishMessage UserName = "User name"
 englishMessage Password = "Password"
+englishMessage CurrentPassword = "Current Password"
 englishMessage Register = "Register"
 englishMessage RegisterLong = "Register a new account"
 englishMessage EnterEmail = "Enter your e-mail address below, and a confirmation e-mail will be sent to you."
@@ -124,6 +126,7 @@ portugueseMessage LoginYahoo = "Entrar via Yahoo"
 portugueseMessage Email = "E-mail"
 portugueseMessage UserName = "Nome de usuário" -- FIXME by Google Translate "user name"
 portugueseMessage Password = "Senha"
+portugueseMessage CurrentPassword = "Palavra de passe"
 portugueseMessage Register = "Registrar"
 portugueseMessage RegisterLong = "Registrar uma nova conta"
 portugueseMessage EnterEmail = "Por favor digite seu endereço de e-mail abaixo e um e-mail de confirmação será enviado para você."
@@ -171,6 +174,7 @@ spanishMessage LoginYahoo = "Entrar utilizando Yahoo"
 spanishMessage Email = "Correo electrónico"
 spanishMessage UserName = "Nombre de Usuario" -- FIXME by Google Translate "user name"
 spanishMessage Password = "Contraseña"
+spanishMessage CurrentPassword = "Contraseña actual"
 spanishMessage Register = "Registrarse"
 spanishMessage RegisterLong = "Registrar una nueva cuenta"
 spanishMessage EnterEmail = "Coloque su dirección de correo electrónico, y un correo de confirmación le será enviado a su cuenta."
@@ -218,6 +222,7 @@ swedishMessage LoginYahoo = "Logga in via Yahoo"
 swedishMessage Email = "Epost"
 swedishMessage UserName = "Användarnamn"  -- FIXME by Google Translate "user name"
 swedishMessage Password = "Lösenord"
+swedishMessage CurrentPassword = "Current password"
 swedishMessage Register = "Registrera"
 swedishMessage RegisterLong = "Registrera ett nytt konto"
 swedishMessage EnterEmail = "Skriv in din epost nedan så kommer ett konfirmationsmail skickas till adressen."
@@ -266,6 +271,7 @@ germanMessage LoginYahoo = "Login via Yahoo"
 germanMessage Email = "Email"
 germanMessage UserName = "Benutzername" -- FIXME by Google Translate "user name"
 germanMessage Password = "Passwort"
+germanMessage CurrentPassword = "Aktuelles Passwort"
 germanMessage Register = "Registrieren"
 germanMessage RegisterLong = "Neuen Account registrieren"
 germanMessage EnterEmail = "Bitte die e-Mail Adresse angeben, eine Bestätigungsmail wird verschickt."
@@ -313,6 +319,7 @@ frenchMessage LoginYahoo = "Se connecter avec Yahoo"
 frenchMessage Email = "Adresse électronique"
 frenchMessage UserName = "Nom d'utilisateur" -- FIXME by Google Translate "user name"
 frenchMessage Password = "Mot de passe"
+frenchMessage CurrentPassword = "Current password"
 frenchMessage Register = "S'inscrire"
 frenchMessage RegisterLong = "Créer un compte"
 frenchMessage EnterEmail = "Entrez ci-dessous votre adresse électronique, et un message de confirmation vous sera envoyé"
@@ -359,6 +366,7 @@ norwegianBokmålMessage LoginYahoo = "Logg inn med Yahoo"
 norwegianBokmålMessage Email = "E-post"
 norwegianBokmålMessage UserName = "Brukernavn" -- FIXME by Google Translate "user name"
 norwegianBokmålMessage Password = "Passord"
+norwegianBokmålMessage CurrentPassword = "Current password"
 norwegianBokmålMessage Register = "Registrer"
 norwegianBokmålMessage RegisterLong = "Registrer en ny konto"
 norwegianBokmålMessage EnterEmail = "Skriv inn e-postadressen din nedenfor og en e-postkonfirmasjon vil bli sendt."
@@ -406,6 +414,7 @@ japaneseMessage LoginYahoo = "Yahooでログイン"
 japaneseMessage Email = "Eメール"
 japaneseMessage UserName = "ユーザー名" -- FIXME by Google Translate "user name"
 japaneseMessage Password = "パスワード"
+japaneseMessage CurrentPassword = "Current password"
 japaneseMessage Register = "登録"
 japaneseMessage RegisterLong = "新規アカウント登録"
 japaneseMessage EnterEmail = "メールアドレスを入力してください。確認メールが送られます"
@@ -453,6 +462,7 @@ finnishMessage LoginYahoo = "Kirjaudu Yahoo-tilillä"
 finnishMessage Email = "Sähköposti"
 finnishMessage UserName = "Käyttäjätunnus" -- FIXME by Google Translate "user name"
 finnishMessage Password = "Salasana"
+finnishMessage Password = "Current password"
 finnishMessage Register = "Luo uusi"
 finnishMessage RegisterLong = "Luo uusi tili"
 finnishMessage EnterEmail = "Kirjoita alle sähköpostiosoitteesi, johon vahvistussähköposti lähetetään."
@@ -501,6 +511,7 @@ chineseMessage LoginYahoo = "用Yahoo帐户登录"
 chineseMessage Email = "邮箱"
 chineseMessage UserName = "用户名" -- FIXME by Google Translate "user name"
 chineseMessage Password = "密码"
+chineseMessage CurrentPassword = "Current password"
 chineseMessage Register = "注册"
 chineseMessage RegisterLong = "注册新帐户"
 chineseMessage EnterEmail = "输入你的邮箱地址，你将收到一封确认邮件。"
@@ -548,6 +559,7 @@ czechMessage LoginYahoo = "Přihlásit přes Yahoo"
 czechMessage Email = "E-mail"
 czechMessage UserName = "Uživatelské jméno"
 czechMessage Password = "Heslo"
+czechMessage CurrentPassword = "Current password"
 czechMessage Register = "Registrovat"
 czechMessage RegisterLong = "Zaregistrovat nový účet"
 czechMessage EnterEmail = "Níže zadejte svou e-mailovou adresu a bude vám poslán potvrzovací e-mail."
@@ -595,6 +607,7 @@ russianMessage LoginYahoo = "Вход с помощью Yahoo"
 russianMessage Email = "Эл.почта"
 russianMessage UserName = "Имя пользователя"
 russianMessage Password = "Пароль"
+russianMessage CurrentPassword = "Current password"
 russianMessage Register = "Регистрация"
 russianMessage RegisterLong = "Создать учётную запись"
 russianMessage EnterEmail = "Введите свой адрес эл.почты ниже, вам будет отправлено письмо для подтверждения."
@@ -641,6 +654,7 @@ dutchMessage LoginYahoo = "Inloggen via Yahoo"
 dutchMessage Email = "E-mail"
 dutchMessage UserName = "Gebruikersnaam" -- FIXME by Google Translate "user name"
 dutchMessage Password = "Wachtwoord"
+dutchMessage CurrentPassword = "Current password"
 dutchMessage Register = "Registreren"
 dutchMessage RegisterLong = "Registreer een nieuw account"
 dutchMessage EnterEmail = "Voer uw e-mailadres hieronder in, er zal een bevestigings-e-mail naar u worden verzonden."
@@ -680,44 +694,45 @@ dutchMessage LogoutTitle = "Log Out" -- FIXME NOT TRANSLATED
 dutchMessage AuthError = "Verificatiefout" -- FIXME by Google Translate
 
 croatianMessage :: AuthMessage -> Text
-croatianMessage NoOpenID      = "Nije pronađen OpenID identifikator"
+croatianMessage NoOpenID = "Nije pronađen OpenID identifikator"
-croatianMessage LoginOpenID   = "Prijava uz OpenID"
+croatianMessage LoginOpenID = "Prijava uz OpenID"
-croatianMessage LoginGoogle   = "Prijava uz Google"
+croatianMessage LoginGoogle = "Prijava uz Google"
-croatianMessage LoginYahoo    = "Prijava uz Yahoo"
+croatianMessage LoginYahoo = "Prijava uz Yahoo"
-croatianMessage Facebook      = "Prijava uz Facebook"
+croatianMessage Facebook = "Prijava uz Facebook"
 croatianMessage LoginViaEmail = "Prijava putem e-pošte"
-croatianMessage Email         = "E-pošta"
+croatianMessage Email = "E-pošta"
-croatianMessage UserName      = "Korisničko ime"
+croatianMessage UserName = "Korisničko ime"
-croatianMessage Password      = "Lozinka"
+croatianMessage Password = "Lozinka"
-croatianMessage Register      = "Registracija"
+croatianMessage CurrentPassword = "Current Password"
-croatianMessage RegisterLong  = "Registracija novog računa"
+croatianMessage Register = "Registracija"
-croatianMessage EnterEmail          = "Dolje unesite adresu e-pošte, pa ćemo vam poslati e-poruku za potvrdu."
+croatianMessage RegisterLong = "Registracija novog računa"
+croatianMessage EnterEmail = "Dolje unesite adresu e-pošte, pa ćemo vam poslati e-poruku za potvrdu."
 croatianMessage PasswordResetPrompt = "Dolje unesite adresu e-pošte ili korisničko ime, pa ćemo vam poslati e-poruku za potvrdu."
-croatianMessage ConfirmationEmailSentTitle    = "E-poruka za potvrdu"
+croatianMessage ConfirmationEmailSentTitle = "E-poruka za potvrdu"
 croatianMessage (ConfirmationEmailSent email) = "E-poruka za potvrdu poslana je na adresu " <> email <> "."
-croatianMessage AddressVerified               = "Adresa ovjerena, postavite novu lozinku"
+croatianMessage AddressVerified = "Adresa ovjerena, postavite novu lozinku"
-croatianMessage InvalidKeyTitle               = "Ključ za ovjeru nije valjan"
+croatianMessage InvalidKeyTitle = "Ključ za ovjeru nije valjan"
-croatianMessage InvalidKey                    = "Nažalost, taj ključ za ovjeru nije valjan."
+croatianMessage InvalidKey = "Nažalost, taj ključ za ovjeru nije valjan."
-croatianMessage InvalidEmailPass              = "Kombinacija e-pošte i lozinke nije valjana"
+croatianMessage InvalidEmailPass = "Kombinacija e-pošte i lozinke nije valjana"
-croatianMessage InvalidUsernamePass           = "Kombinacija korisničkog imena i lozinke nije valjana"
+croatianMessage InvalidUsernamePass = "Kombinacija korisničkog imena i lozinke nije valjana"
-croatianMessage BadSetPass                    = "Za postavljanje lozinke morate biti prijavljeni"
+croatianMessage BadSetPass = "Za postavljanje lozinke morate biti prijavljeni"
-croatianMessage SetPassTitle                  = "Postavi lozinku"
+croatianMessage SetPassTitle = "Postavi lozinku"
-croatianMessage SetPass                       = "Postavite novu lozinku"
+croatianMessage SetPass = "Postavite novu lozinku"
-croatianMessage NewPass                       = "Nova lozinka"
+croatianMessage NewPass = "Nova lozinka"
-croatianMessage ConfirmPass                   = "Potvrda lozinke"
+croatianMessage ConfirmPass = "Potvrda lozinke"
-croatianMessage PassMismatch                  = "Lozinke se ne podudaraju, pokušajte ponovo"
+croatianMessage PassMismatch = "Lozinke se ne podudaraju, pokušajte ponovo"
-croatianMessage PassUpdated                   = "Lozinka ažurirana"
+croatianMessage PassUpdated = "Lozinka ažurirana"
-croatianMessage InvalidLogin                  = "Prijava nije valjana"
+croatianMessage InvalidLogin = "Prijava nije valjana"
-croatianMessage NowLoggedIn                   = "Sada ste prijavljeni u"
+croatianMessage NowLoggedIn = "Sada ste prijavljeni u"
-croatianMessage LoginTitle                    = "Prijava"
+croatianMessage LoginTitle = "Prijava"
-croatianMessage PleaseProvideUsername         = "Unesite korisničko ime"
+croatianMessage PleaseProvideUsername = "Unesite korisničko ime"
-croatianMessage PleaseProvidePassword         = "Unesite lozinku"
+croatianMessage PleaseProvidePassword = "Unesite lozinku"
-croatianMessage NoIdentifierProvided          = "Nisu dani e-pošta/korisničko ime"
+croatianMessage NoIdentifierProvided = "Nisu dani e-pošta/korisničko ime"
-croatianMessage InvalidEmailAddress           = "Dana adresa e-pošte nije valjana"
+croatianMessage InvalidEmailAddress = "Dana adresa e-pošte nije valjana"
-croatianMessage PasswordResetTitle            = "Poništavanje lozinke"
+croatianMessage PasswordResetTitle = "Poništavanje lozinke"
-croatianMessage ProvideIdentifier             = "E-pošta ili korisničko ime"
+croatianMessage ProvideIdentifier = "E-pošta ili korisničko ime"
-croatianMessage SendPasswordResetEmail        = "Pošalji e-poruku za poništavanje lozinke"
+croatianMessage SendPasswordResetEmail = "Pošalji e-poruku za poništavanje lozinke"
-croatianMessage (IdentifierNotFound ident)    = "Korisničko ime/e-pošta nisu pronađeni: " <> ident
+croatianMessage (IdentifierNotFound ident) = "Korisničko ime/e-pošta nisu pronađeni: " <> ident
-croatianMessage Logout                        = "Odjava"
+croatianMessage Logout = "Odjava"
-croatianMessage LogoutTitle                   = "Odjava"
+croatianMessage LogoutTitle = "Odjava"
-croatianMessage AuthError                     = "Pogreška provjere autentičnosti"
+croatianMessage AuthError = "Pogreška provjere autentičnosti"