Return a 403 status code if the csrf tokens are matched. This currently
affects two endpoints: During registration and during password reset
forms.
This curl request demonstrates how this can be exploited to register new
email:
curl -i --header "Accept: application/json" --request POST -F
"email=sibi@psibi.in" http://localhost:3005/auth/page/email/register
With the patch applied, it will respond with this:
{"message":"Permission Denied. A valid CSRF token wasn't present in HTTP
headers or POST parameters. Because the request could have been forged,
it's been rejected altogether. Check the Yesod.Core.Handler docs of the
yesod-core package for details on CSRF protection."}
7f17d829b3