From 1a6850522a8ed729627bf48bee7467c7839fa7d6 Mon Sep 17 00:00:00 2001
From: Kris <git@k118.de>
Date: Mon, 15 Feb 2021 21:43:17 +0100
Subject: [PATCH] Added CSRF Protection to routes (#214)

closes #135
---
 app/Http/Controllers/UserController.php | 16 +++++++++----
 resources/views/settings.blade.php      | 32 ++++++++++++++++---------
 routes/web.php                          |  4 ++--
 3 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index afbcf075d..092ad4865 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -185,11 +185,17 @@ public function deleteSession(): RedirectResponse {
         return redirect()->route('static.welcome');
     }
 
-    //delete a specific session for user
-    public function deleteToken($tokenId): RedirectResponse {
-        $user  = Auth::user();
-        $token = Token::find($tokenId);
-        if ($token->user == $user) {
+    /**
+     * delete a specific session for user
+     * @param Request $request
+     * @return RedirectResponse
+     */
+    public function deleteToken(Request $request): RedirectResponse {
+        $validated = $request->validate([
+                                            'tokenId' => ['required', 'exists:oauth_access_tokens,id']
+                                        ]);
+        $token     = Token::find($validated['tokenId']);
+        if ($token->user->id == Auth::user()->id) {
             $token->revoke();
         }
         return redirect()->route('settings');
diff --git a/resources/views/settings.blade.php b/resources/views/settings.blade.php
index 59608021a..9a3fd03cd 100644
--- a/resources/views/settings.blade.php
+++ b/resources/views/settings.blade.php
@@ -20,9 +20,9 @@ class="col-md-4 col-form-label text-md-right">{{ __('settings.picture') }}</labe
                                 <div class="col-md-6 text-center">
                                     <div class="image-box">
                                         <img
-                                            src="{{ route('account.showProfilePicture', ['username' => $user->username]) }}"
-                                            style="max-width: 96px" alt="{{__('settings.picture')}}" class="pb-2"
-                                            id="theProfilePicture"/>
+                                                src="{{ route('account.showProfilePicture', ['username' => $user->username]) }}"
+                                                style="max-width: 96px" alt="{{__('settings.picture')}}" class="pb-2"
+                                                id="theProfilePicture"/>
                                     </div>
 
                                     <a href="#" class="btn btn-primary" data-toggle="modal"
@@ -295,7 +295,7 @@ class="btn btn-sm btn-outline-danger disconnect">{{ __('settings.disconnect') }}
                                                            aria-describedby="button-addon4">
                                                     <div id="button-addon4" class="input-group-append">
                                                         <button class="btn btn-md btn-primary m-0 px-3" type="submit"><i
-                                                                class="fab fa-mastodon"></i> {{ __('settings.connect') }}
+                                                                    class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                                                         </button>
                                                     </div>
                                                 </div>
@@ -323,7 +323,7 @@ class="btn btn-sm btn-primary">{{ __('settings.connect') }}</a></td>
                                                        aria-describedby="button-addon4">
                                                 <div id="button-addon4" class="input-group-append">
                                                     <button class="btn btn-md btn-primary m-0 px-3" type="submit"><i
-                                                            class="fab fa-mastodon"></i> {{ __('settings.connect') }}
+                                                                class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                                                     </button>
                                                 </div>
                                             </div>
@@ -359,8 +359,13 @@ class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                             @endforeach
 
                         </table>
-                        <a href="{{ route('delsession') }}" class="btn btn-block btn-outline-danger mx-0"
-                           role="button">{{ __('settings.deleteallsessions') }}</a>
+                        <form method="POST" action="{{ route('delsession') }}">
+                            @csrf
+                            <button type="submit" class="btn btn-block btn-outline-danger mx-0">
+                                {{ __('settings.deleteallsessions') }}
+                            </button>
+                        </form>
+
                     </div>
                 </div>
 
@@ -389,10 +394,15 @@ class="fab fa-mastodon"></i> {{ __('settings.connect') }}
                                         <td>{{ $token['updated_at'] }}</td>
                                         <td>{{ $token['expires_at'] }}</td>
                                         <td>
-                                            <a href="{{ route('deltoken', ['id' => $token['id']]) }}"
-                                               alt="{{ __('settings.deletetokenfor') }}  {{ $token['clientName'] }}"
-                                               class="btn btn-block btn-danger mx-0"
-                                               role="button"><i class="fas fa-trash"></i></a></td>
+                                            <form method="POST" action="{{ route('deltoken') }}">
+                                                @csrf
+                                                <input type="hidden" name="tokenId" value="{{$token['id']}}"/>
+                                                <button class="btn btn-block btn-danger mx-0" role="button">
+                                                    <i class="fas fa-trash"></i>
+                                                </button>
+                                            </form>
+
+                                        </td>
                                     </tr>
                                 @endforeach
                             </table>
diff --git a/routes/web.php b/routes/web.php
index 49d518a29..c79180be4 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -140,10 +140,10 @@
     Route::get('/settings/deleteProfilePicture', [UserController::class, 'deleteProfilePicture'])
          ->name('settings.delete-profile-picture');
 
-    Route::get('/settings/delsession', [UserController::class, 'deleteSession'])
+    Route::post('/settings/delsession', [UserController::class, 'deleteSession'])
          ->name('delsession');
 
-    Route::get('/settings/deltoken/{id}', [UserController::class, 'deleteToken'])
+    Route::post('/settings/deltoken', [UserController::class, 'deleteToken'])
          ->name('deltoken');
 
     Route::get('/dashboard', [FrontendStatusController::class, 'getDashboard'])