protect invoke other sessions endpoint with anti forgery token

Author: josxha

KratosSelfService/Controllers/SessionsController.cs

@@ -19,11 +19,15 @@ public async Task<IActionResult> Sessions()
         return View("Sessions", model);
     }
 
-    [HttpGet("sessions-logout")]
-    public async Task<IActionResult> LogoutAllOtherSessions()
+    [HttpPost("sessions")]
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> LogoutAllOtherSessions([FromForm] string? action)
     {
-        //TODO: protect with anti forgery token
-        _ = await api.Frontend.DisableMyOtherSessionsAsync(cookie: Request.Headers.Cookie);
+        if (action == "invokeSessions")
+        {
+            _ = await api.Frontend.DisableMyOtherSessionsAsync(cookie: Request.Headers.Cookie);
+        }
+
         return Redirect("sessions");
     }
 }

KratosSelfService/Views/Sessions/Sessions.cshtml

@@ -1,4 +1,5 @@
 @using UAParser
+@using Microsoft.AspNetCore.Components.Web
 @model SessionsModel
 @{
     Layout = "_NavbarLayout";
@@ -96,11 +97,14 @@
                 }
                 else
                 {
-                    <div class="buttons">
-                        <a class="button is-warning" href="sessions-logout">
-                            @CustomTranslator.Get("sessions.logoutOtherSessions")
-                        </a>
-                    </div>
+                    <form action="/sessions" method="post">
+                        @Html.AntiForgeryToken()
+                        <div class="buttons">
+                            <button type="submit" class="button is-warning" name="action" value="invokeSessions">
+                                @CustomTranslator.Get("sessions.logoutOtherSessions")
+                            </button>
+                        </div>
+                    </form>
                     <table class="table is-fullwidth">
                         <thead>
                         <tr>