stable
Clone or download
Read-only
Part of story #31175 delete a registered passkey To avoid csrf attack on POST /webauthn/registration, add a csrf token in the request body and then check it in controller. *Testing:* If you try to call the route without the csrf token (or with a wrong token) you will receive a 400 Bad Request. Else registration is performed, and you receive 200 OK. Change-Id: Ia73a6dd18fe061f2545999e6b85c66c791abc071
Modified Files
Name | ||||
---|---|---|---|---|
M | plugins/webauthn/include/WebAuthn/Controllers/AccountController.php | +3 | −1 | Go to diff View file |
M | plugins/webauthn/include/WebAuthn/Controllers/AccountPresenter.php | +2 | −0 | Go to diff View file |
M | plugins/webauthn/scripts/account/src/account.ts | +9 | −3 | Go to diff View file |
M | plugins/webauthn/scripts/account/src/register.ts | +2 | −1 | Go to diff View file |
M | plugins/webauthn/templates/name-modal.mustache | +3 | −0 | Go to diff View file |
M | site-content/fr_FR/LC_MESSAGES/tuleap-core.po | +3 | −0 | Go to diff View file |
M | site-content/pt_BR/LC_MESSAGES/tuleap-core.po | +3 | −0 | Go to diff View file |
M | src/common/Request/CSRFSynchronizerTokenInterface.php | +10 | −0 | Go to diff View file |
M | src/common/Request/RouteCollector.php | +1 | −0 | Go to diff View file |
M | src/common/WebAuthn/Controllers/PostRegistrationController.php | +15 | −3 | Go to diff View file |
M | src/common/include/CSRFSynchronizerToken.php | +1 | −1 | Go to diff View file |
M | tests/lib/Stubs/CSRFSynchronizerTokenStub.php | +6 | −0 | Go to diff View file |
M | tests/unit/common/WebAuthn/Controllers/PostRegistrationControllerTest.php | +9 | −2 | Go to diff View file |