Merge pull request #1161 from MaxGabriel/yesodAuthHardodedUseCSRFToken

Have the yesod-auth login form use a CSRF token
2016-02-23 14:54:38 +01:00 · 2016-02-23 14:54:38 +01:00 · 9dd48ab4b3
commit 9dd48ab4b3
parent b09d029fb7 d39ce44c21
5 changed files with 13 additions and 5 deletions
--- a/yesod-auth/ChangeLog.md
+++ b/yesod-auth/ChangeLog.md
@ -1,3 +1,7 @@
+## 1.4.13
+
+* Add a CSRF token to the login form from `Yesod.Auth.Hardcoded`, making it compatible with the CSRF middleware [#1161](https://github.com/yesodweb/yesod/pull/1161)
+
 ## 1.4.12

 * Deprecated Yesod.Auth.GoogleEmail
--- a/yesod-auth/Yesod/Auth/Hardcoded.hs
+++ b/yesod-auth/Yesod/Auth/Hardcoded.hs
@ -160,10 +160,13 @@ authHardcoded =
  where
    dispatch "POST" ["login"] = postLoginR >>= sendResponse
    dispatch _ _ = notFound
-    loginWidget toMaster =
+    loginWidget toMaster = do
+      request <- getRequest
      [whamlet|
        $newline never
        <form method="post" action="@{toMaster loginR}">
+          $maybe t <- reqToken request
+            <input type=hidden name=#{defaultCsrfParamName} value=#{t}>
          <table>
            <tr>
              <th>_{Msg.UserName}
--- a/yesod-auth/yesod-auth.cabal
+++ b/yesod-auth/yesod-auth.cabal
@ -1,5 +1,5 @@
 name:            yesod-auth
-version:         1.4.12
+version:         1.4.13
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman, Patrick Brisbin
@ -23,7 +23,7 @@ library
    build-depends:   base                    >= 4         && < 5
                   , authenticate            >= 1.3
                   , bytestring              >= 0.9.1.4
-                   , yesod-core              >= 1.4       && < 1.5
+                   , yesod-core              >= 1.4.14    && < 1.5
                   , wai                     >= 1.4
                   , template-haskell
                   , base16-bytestring
--- a/yesod-form/Yesod/Form/Functions.hs
+++ b/yesod-form/Yesod/Form/Functions.hs
@ -59,6 +59,7 @@ import Text.Blaze (Markup, toMarkup)
 #define Html Markup
 #define toHtml toMarkup
 import Yesod.Core
+import Yesod.Core.Handler (defaultCsrfParamName)
 import Network.Wai (requestMethod)
 import Text.Hamlet (shamlet)
 import Data.Monoid (mempty)
@ -213,7 +214,7 @@ postHelper  :: (MonadHandler m, RenderMessage (HandlerSite m) FormMessage)
            -> m ((FormResult a, xml), Enctype)
 postHelper form env = do
    req <- getRequest
-    let tokenKey = "_token"
+    let tokenKey = defaultCsrfParamName
    let token =
            case reqToken req of
                Nothing -> mempty
--- a/yesod-form/yesod-form.cabal
+++ b/yesod-form/yesod-form.cabal
@ -20,7 +20,7 @@ flag network-uri

 library
    build-depends:   base                  >= 4        && < 5
-                   , yesod-core            >= 1.4      && < 1.5
+                   , yesod-core            >= 1.4.14   && < 1.5
                   , yesod-persistent      >= 1.4      && < 1.5
                   , time                  >= 1.1.4
                   , shakespeare           >= 2.0