auth
auth/authd/templates/simple.gotmpl
Enable CSRF protection, add expiration to sessions. Sessions gain a CSRF token, which is passed as a parameter to the login page. The login page now checks for that CSRF token, and logs a CSRF attempt if the token does not match. I also added an expiration to sessions, so they don't last forever. Sessions should be pretty short--we just need to stay logged in for long enough to approve the OAuth request. Everything after that should be cookie based. Finally, I added a configuration parameter to control whether the session cookie should be set to Secure, requiring the use of HTTPS. For production use, this flag is a requirement, but it makes testing extremely difficult, so we need a way to disable it.
1 {{ define "login" }}<html>
2 <head>
3 <title>Log in</title>
4 </head>
5 <body>
6 <h1>Please log into your account</h1>{{ if .errors }}
7 <h2>Errors:</h2>
8 <ul>{{ range .errors }}
9 <li>{{ . }}</li>
10 </ul>{{ end }}{{ end }}
11 <form method="POST">
12 <p>Username: <input type="text" name="login"></p>
13 <p>Password: <input type="password" name="passphrase"></p>
14 <p><input type="submit"></p>
15 </form>
16 </body>
17 </html>{{ end }}
19 {{ define "get_grant" }}<html>
20 <head>
21 <title>Grant access</title>
22 </head>
23 <body>{{ if .error }}
24 <h1>Error</h1>
25 <p>{{ .error }}</p>{{ end }}{{ if .internal_error }}
26 <h1>Error</h1>
27 <p>{{ .internal_error }}</p>{{ end }}{{ if not .error }}{{ if not .internal_error }}<h1>Grant access</h1>
28 <p>{{ .client.Name }} is requesting access to your account. if you grant it, you'll be redirected to {{ .redirectURL }}. Their access will be limited to {{ .scope }}. You are granting access for {{ .profile.Name }}.</p>{{ end }}{{ end }}
29 <form method="POST">
30 <input type="submit" name="grant" value="approved">
31 <input type="hidden" name="csrftoken" value="{{ .csrftoken }}">
32 </form>
33 </body>
34 </html>{{ end }}