Overhaul sessions, tokens, and authentication

- Use cookies + CSRF token for API authentication in the default client. This mitigates potential XSS attacks by making the token unavailable to JavaScript. The Authorization header is still supported, but not used by default. - Make sensitive/destructive actions (editing a user, permanently deleting anything, visiting the admin CP) require the user to re-enter their password if they haven't entered it in the last 30 minutes. - Refactor and clean up the authentication middleware. - Add an `onhide` hook to the Modal component. (+1 squashed commit)
2025-05-23 07:09:57 +08:00 · 2015-11-05 16:17:00 +10:30
parent a1e1635019
commit 9896378b59
69 changed files with 1076 additions and 509 deletions
--- a/js/lib/components/ConfirmPasswordModal.js
+++ b/js/lib/components/ConfirmPasswordModal.js
@ -0,0 +1,73 @@
+import Modal from 'flarum/components/Modal';
+import Button from 'flarum/components/Button';
+import extractText from 'flarum/utils/extractText';
+
+export default class ConfirmPasswordModal extends Modal {
+  init() {
+    super.init();
+
+    this.password = m.prop('');
+  }
+
+  className() {
+    return 'ConfirmPasswordModal Modal--small';
+  }
+
+  title() {
+    return app.translator.trans('core.forum.confirm_password.title');
+  }
+
+  content() {
+    return (
+      <div className="Modal-body">
+        <div className="Form Form--centered">
+          <div className="Form-group">
+            <input
+              type="password"
+              className="FormControl"
+              bidi={this.password}
+              placeholder={extractText(app.translator.trans('core.forum.confirm_password.password_placeholder'))}
+              disabled={this.loading}/>
+          </div>
+
+          <div className="Form-group">
+            <Button
+              type="submit"
+              className="Button Button--primary Button--block"
+              loading={this.loading}>
+              {app.translator.trans('core.forum.confirm_password.submit_button')}
+            </Button>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  onsubmit(e) {
+    e.preventDefault();
+
+    this.loading = true;
+
+    app.session.login(app.session.user.email(), this.password(), {errorHandler: this.onerror.bind(this)})
+      .then(() => {
+        this.success = true;
+        this.hide();
+        app.request(this.props.deferredRequest).then(response => this.props.deferred.resolve(response), response => this.props.deferred.reject(response));
+      })
+      .catch(this.loaded.bind(this));
+  }
+
+  onerror(error) {
+    if (error.status === 401) {
+      error.alert.props.children = app.translator.trans('core.forum.log_in.invalid_login_message');
+    }
+
+    super.onerror(error);
+  }
+
+  onhide() {
+    if (this.success) return;
+
+    this.props.deferred.reject(this.props.error);
+  }
+}
--- a/js/lib/components/Modal.js
+++ b/js/lib/components/Modal.js
@ -98,7 +98,10 @@ export default class Modal extends Component {
   * Focus on the first input when the modal is ready to be used.
   */
  onready() {
-    this.$('form :input:first').focus().select();
+    this.$('form').find('input, select, textarea').first().focus().select();
+  }
+
+  onhide() {
  }

  /**
--- a/js/lib/components/ModalManager.js
+++ b/js/lib/components/ModalManager.js
@ -77,6 +77,10 @@ export default class ModalManager extends Component {
   * @protected
   */
  clear() {
+    if (this.component) {
+      this.component.onhide();
+    }
+
    this.component = null;

    m.lazyRedraw();