|
|
|
Home » U++ Library support » Skylark » Skylark : GetIdentity alternative way of working
| Skylark : GetIdentity alternative way of working [message #53780] |
Thu, 30 April 2020 00:10  |
 |
Xemuth
Messages: 375
Registered: August 2018
Location: France
|
Senior Member |
|
|
Hello,
Today I tried to setup a form using $post_identity() to prevent CSRF attacks. However for a strange reason, the example provided by Upp (Skylark06) work perfectly but when using on my own app, the
String GetIdentity(const Renderer *r)
function always return "zd" since the key/value named __identity__ is not on first position in the http->var vectorMap<String,Value>.
to fix my problem I changed a bit the function :
String GetIdentity(const Renderer *r)
{
Http *http = const_cast<Http *>(dynamic_cast<const Http *>(r));
if(!http)
throw Exc("invalid POST identity call");
//New
bool find = false;
Upp::String s;
for(const Upp::String& key : http->var.GetKeys()){
if(key.Find("__identity__") != -1){
s = http->var.Get(key).ToString();
find = true;
break;
}
}
if(find)
return s;
s = AsString(Uuid::Create());
http->SessionSet0("__identity__", s);
http->var[0] = s;
return s;
}
What you think about it ?
my github : https://github.com/Xemuth
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Skylark : GetIdentity alternative way of working [message #57564 is a reply to message #53802] |
Sat, 25 September 2021 22:42  |
 |
Klugier
Messages: 953
Registered: September 2012
Location: Poland, Kraków
|
Experienced Contributor |
|
|
Hello Xemuth,
I saw your recent message. I think you should just create PR into Mirek's repository and code could be review there. This should also speed the time when changes will be present on master/main branch of Skylark.
However, I have a questions to the current solution (in context of framework improvement we need to think more globally rather than locally (how to fix my problem only)):
- What if there will be more than one identity (is this reasonable scenario)? Could we call several post_identity in one witz file?
- Backwards compatibility - does it break something?
You could simplify your solution
//New
for(const Upp::String& key : http->var.GetKeys()){
if(key.Find("__identity__") != -1){
return http->var.Get(key).ToString();
}
}
auto s = AsString(Uuid::Create());
Also extract this ""__identity__" (magic string problem) into constexpr variable (example):
constexpr const char* IDENITY = "__identity__";
Klugier
Ultimate++ - one framework to rule them all.
[Updated on: Sat, 25 September 2021 22:44] Report message to a moderator |
|
|
|
| Re: Skylark : GetIdentity alternative way of working [message #57565 is a reply to message #57564] |
Sun, 26 September 2021 01:16 |
|
Xemuth
Messages: 375
Registered: August 2018
Location: France
|
Senior Member |
|
|
Hello Klugier, I will create a pull request.
Quote:What if there will be more than one identity (is this reasonable scenario)? Could we call several post_identity in one witz file?
we can call as many post_identity we want in witz file:
<form action=$Auth2 onSubmit="return prepareData()" method="post" accept-charset="utf-8" enctype="multipart/form-data">
<div class="row">
$post_identity()
$post_identity()
$post_identity()
<div class="col-md-1 col-md-offset-3">
<div class="RightText">Login:</div>
https://i.imgur.com/XaShdHw.png
having it multiple time in witz don't affect the way __identity__ work. Same goes for __js_identity__.
Quote:Backwards compatibility - does it break something?
Here is the old code :
String GetIdentity(const Renderer *r)
{
// This ugly hack expects that __identity__ is always present in r->var
Http *http = const_cast<Http *>(dynamic_cast<const Http *>(r));
if(!http)
throw Exc("invalid POST identity call");
String s = http->var[0];
if(s.GetCount())
return s;
s = AsString(Uuid::Create());
http->SessionSet0("__identity__", s);
http->var[0] = s;
return s;
}
it expect to have __identity__ at index 0. It's not always true (expectially when we use external libs to send data via Javascript).
the new code do the same think but lookup for it. I don't think regression could occure
my github : https://github.com/Xemuth
|
|
|
|
Goto Forum:
Current Time: Wed Jun 29 11:41:14 CEST 2022
Total time taken to generate the page: 0.03618 seconds
|
|
|
Members
Pages
Help
Register
Login
Home
