7f17d829b3
Return a 403 status code if the csrf tokens are matched. This currently affects two endpoints: During registration and during password reset forms. This curl request demonstrates how this can be exploited to register new email: curl -i --header "Accept: application/json" --request POST -F "email=sibi@psibi.in" http://localhost:3005/auth/page/email/register With the patch applied, it will respond with this: {"message":"Permission Denied. A valid CSRF token wasn't present in HTTP headers or POST parameters. Because the request could have been forged, it's been rejected altogether. Check the Yesod.Core.Handler docs of the yesod-core package for details on CSRF protection."} |
||
|---|---|---|
| .. | ||
| Yesod | ||
| .gitignore | ||
| auth2.hs | ||
| browserid.hs | ||
| ChangeLog.md | ||
| LICENSE | ||
| openid.hs | ||
| persona_sign_in_blue.png | ||
| README.md | ||
| Setup.lhs | ||
| yesod-auth.cabal | ||
yesod-auth
This package provides a pluggable mechanism for allowing users to authenticate with your site. It comes with a number of common plugins, such as OpenID, BrowserID (a.k.a., Mozilla Persona), and email. Other packages are available from Hackage as well. If you've written such an add-on, please notify me so that it can be added to this description.
- yesod-auth-account: An account authentication plugin for Yesod
- yesod-auth-hashdb: The HashDB module previously packaged in yesod-auth, now with stronger, but compatible, security.
- yesod-auth-bcrypt: An alternative to the HashDB module.