Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00
Code Issues Activity

Merge pull request #2975 from jaswilli/csrf

Browse source 
Fix csrfSecret handling
This commit is contained in:
Hannah Wolfe 2014-06-17 20:16:26 +01:00
commit 6d9f2571a1
2 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
core/client/routes/signin.js
View file

@ -23,6 +23,14 @@ var SigninRoute = Ember.Route.extend(styleBody, {
headers: {'X-CSRF-Token': this.get('csrf')},
data: data
}).then(function (response) {
// once the email and password are pulled from the controller
// they need to be cleared, or they will reappear next time the signin
// page is visited
controller.setProperties({
email: '',
password: ''
});
self.store.pushPayload({users: [response.userData]});
return self.store.find('user', response.userData.id);
}).then(function (user) {

8
core/server/controllers/admin.js
View file

@ -254,11 +254,11 @@ adminControllers = {
loginSecurity.push({ip: remoteAddress, time: currentTime});
api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) {
// Carry over the csrf secret
var existingSecret = req.session._csrfSecret;
var existingSecret = req.session.csrfSecret;
req.session.regenerate(function (err) {
if (!err) {
req.session._csrfSecret = existingSecret;
req.session.csrfSecret = existingSecret;
req.session.user = user.id;
req.session.userData = user.attributes;
@ -339,13 +339,13 @@ adminControllers = {
});
// Carry over the csrf secret
existingSecret = req.session._csrfSecret;
existingSecret = req.session.csrfSecret;
req.session.regenerate(function (err) {
if (err) {
return next(err);
}
req.session._csrfSecret = existingSecret;
req.session.csrfSecret = existingSecret;
if (req.session.user === undefined) {
req.session.user = user.id;