Updated manager security. Fixes #1741 #1742
Conversation
|
Review requested by @hagaiwech & @tedvanderveen |
| @@ -104,10 +104,9 @@ public async Task<IActionResult> OnPostAsync(string returnUrl = null) | |||
|
|
|||
| if (!string.IsNullOrEmpty(returnUrl)) | |||
| { | |||
| return LocalRedirect(returnUrl); | |||
| return LocalRedirect($"~/manager/login/auth?returnUrl={ returnUrl }"); | |||
There was a problem hiding this comment.
Custom authentication providers should also redirect to this new route which is responsible for setting up the CSRF request token for the application.
| @@ -14,7 +14,28 @@ piranha.utils = { | |||
| }, | |||
| strLength: function (str) { | |||
| return str != null ? str.length : 0; | |||
| } | |||
| }, | |||
| antiForgery: function () { | |||
There was a problem hiding this comment.
This method is responsible for extracting the CSRF request token from the current cookies.
| } | ||
| return ""; | ||
| }, | ||
| antiForgeryHeaders: function (isJson) { |
There was a problem hiding this comment.
This method is responsible for setting up API request headers including CSRF anti forgery token sent back to the server. If correct token is not provided in the header actions will return a 400.
|
@tedvanderveen Do you see any conflicts with this in regards to the stuff you've done for external authentication? |
|
@tidyui I shall pick this up next week! |
|
@tedvanderveen Great! The main update here when using an external authentication is that after login the request should be redirected to |
|
Merging this as it's blocking other pull requests and we're on a tight schedule :) If you have any comments regarding the implementation we can always address it in master. |
No description provided.