Fix 403 errors after signup

Closes #2819 - Keep around the _csrfSecret on the session after regenerating
2025-03-11 02:12:21 -05:00 · 2014-05-26 19:59:57 -05:00 · 2014-05-26 19:59:57 -05:00 · dc58d6936a
commit dc58d6936a
parent 40d4cc7e55
1 changed files with 24 additions and 12 deletions
--- a/core/server/controllers/admin.js
+++ b/core/server/controllers/admin.js
@ -216,8 +216,13 @@ adminControllers = {
        if (!denied) {
            loginSecurity.push({ip: remoteAddress, time: currentTime});
            api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) {
+                // Carry over the csrf secret
+                var existingSecret = req.session._csrfSecret;
+
                req.session.regenerate(function (err) {
                    if (!err) {
+                        req.session._csrfSecret = existingSecret;
+
                        req.session.user = user.id;
                        req.session.userData = user.attributes;

@ -254,7 +259,7 @@ adminControllers = {
    // Route: doSignup
    // Path: /ghost/signup/
    // Method: POST
-    'doSignup': function (req, res) {
+    'doSignup': function (req, res, next) {
        var name = req.body.name,
            email = req.body.email,
            password = req.body.password,
@ -285,7 +290,8 @@ adminControllers = {
                            message: message,
                            options: {}
                        }]
-                    };
+                    },
+                    existingSecret;

                api.mail.send(payload).otherwise(function (error) {
                    errors.logError(
@ -295,18 +301,24 @@ adminControllers = {
                    );
                });

+                // Carry over the csrf secret
+                existingSecret = req.session._csrfSecret;
                req.session.regenerate(function (err) {
-                    if (!err) {
-                        if (req.session.user === undefined) {
-                            req.session.user = user.id;
-                            req.session.userData = user;
-                        }
-
-                        res.json(200, {
-                            redirect: config().paths.subdir + '/ghost/',
-                            userData: req.session.userData
-                        });
+                    if (err) {
+                        return next(err);
                    }
+
+                    req.session._csrfSecret = existingSecret;
+
+                    if (req.session.user === undefined) {
+                        req.session.user = user.id;
+                        req.session.userData = user;
+                    }
+
+                    res.json(200, {
+                        redirect: config().paths.subdir + '/ghost/',
+                        userData: req.session.userData
+                    });
                });
            });
        }).otherwise(function (error) {