Validate anti-CSRF token in password reset form

carlbennett · carlbennett · commit 36a4548cacba · 2019-08-23T05:41:17.000Z
diff --git a/src/controllers/User/ResetPassword.php b/src/controllers/User/ResetPassword.php
@@ -8,6 +8,7 @@
 use \CarlBennett\MVC\Libraries\Template;
 use \CarlBennett\MVC\Libraries\View;
 
+use \BNETDocs\Libraries\CSRF;
 use \BNETDocs\Libraries\EventTypes;
 use \BNETDocs\Libraries\Exceptions\UserNotFoundException;
 use \BNETDocs\Libraries\Logger;
@@ -37,18 +38,16 @@ public function &run( Router &$router, View &$view, array &$args ) {
     $model = new UserResetPasswordModel();
 
     $model->error = null;
-    $model->csrf_id = isset( $data[ 'csrf_id' ]) ? $data[ 'csrf_id' ] : null;
-    $model->csrf_token = (
-      isset( $data[ 'csrf_token' ]) ? $data[ 'csrf_token' ] : null
-    );
+    $model->csrf_id = mt_rand();
+    $model->csrf_token = CSRF::generate( $model->csrf_id );
     $model->pw1 = isset( $data[ 'pw1' ]) ? $data[ 'pw1' ] : null;
     $model->pw2 = isset( $data[ 'pw2' ]) ? $data[ 'pw2' ] : null;
     $model->token = isset( $data[ 't' ]) ? $data[ 't' ] : null;
     $model->user = null;
     $model->username = isset( $data[ 'username' ]) ? $data[ 'username' ] : null;
 
     if ( $router->getRequestMethod() == 'POST' ) {
-      $ret = $this->doPasswordReset( $model );
+      $ret = $this->doPasswordReset( $model, $data );
       if ( $ret !== self::RET_EMAIL ) {
         Logger::logEvent(
           EventTypes::USER_PASSWORD_RESET,
@@ -73,9 +72,21 @@ public function &run( Router &$router, View &$view, array &$args ) {
 
   }
 
-  protected function doPasswordReset( UserResetPasswordModel &$model ) {
+  protected function doPasswordReset( UserResetPasswordModel &$model, &$data ) {
     $model->error = 'INTERNAL_ERROR';
 
+    $csrf_id = isset( $data[ 'csrf_id' ]) ? $data[ 'csrf_id' ] : null;
+    $csrf_token = (
+      isset( $data[ 'csrf_token' ]) ? $data[ 'csrf_token' ] : null
+    );
+    $csrf_valid = CSRF::validate( $csrf_id, $csrf_token );
+
+    if ( !$csrf_valid ) {
+      $model->error = 'INVALID_CSRF';
+      return self::RET_FAILURE;
+    }
+    CSRF::invalidate( $csrf_id );
+
     if ( empty( $model->username )) {
       $model->error = 'EMPTY_USERNAME';
       return self::RET_FAILURE;
