qr -> ajax

2025-10-29 01:05:32 +00:00 · 2025-05-30 03:01:38 +02:00
parent 0f22f14a56
commit 9f7306526f
3 changed files with 89 additions and 109 deletions
--- a/controllers/user_management_access.go
+++ b/controllers/user_management_access.go
@@ -74,12 +74,8 @@ func (p *UserManagementAccessPage) GET(engine *templating.Engine, app core.App)
 		data["relative_url"] = path_access + "?token=" + access_token.Token()
 		data["validUntil"] = access_token.Expires().Time().Local().Format("02.01.2006 15:04")

-		nonce, token, err := CSRF_CACHE.GenerateTokenBundle()
-		if err != nil {
-			return engine.Response500(e, err, data)
-		}
-		data["csrf_nonce"] = nonce
-		data["csrf_token"] = token
+		req := templating.NewRequest(e)
+		data["csrf_token"] = req.Session().Token

 		SetRedirect(data, e)

@@ -94,6 +90,19 @@ func (p *UserManagementAccessPage) POST(engine *templating.Engine, app core.App)
 			return engine.Response404(e, fmt.Errorf("invalid role: %s", role), nil)
 		}

+		formdata := struct {
+			CSRF string `json:"csrf_token" form:"csrf_token"`
+		}{}
+
+		if err := e.BindBody(&formdata); err != nil {
+			return engine.Response500(e, fmt.Errorf("invalid form data: %w", err), nil)
+		}
+
+		req := templating.NewRequest(e)
+		if err := req.CheckCSRF(formdata.CSRF); err != nil {
+			return engine.Response500(e, fmt.Errorf("invalid CSRF token: %w", err), nil)
+		}
+
 		path_access := URL_USER_CREATE + role
 		record, err := app.FindFirstRecordByData(dbmodels.ACCESS_TOKENS_TABLE, dbmodels.ACCESS_TOKENS_URL_FIELD, path_access)
 		if err == nil {
@@ -110,6 +119,7 @@ func (p *UserManagementAccessPage) POST(engine *templating.Engine, app core.App)
 		data["access_url"] = "https://musenalm.de" + path_access + "?token=" + token.Token()
 		data["relative_url"] = path_access + "?token=" + token.Token()
 		data["validUntil"] = token.Expires().Time().Format("02.01.2006 15:04")
+		data["csrf_token"] = req.Session().Token

 		SetRedirect(data, e)