From c53307230a13706bdc3ea7cbb6a930f8b3ea4f15 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Mon, 18 Jul 2011 23:09:24 -0700
Subject: [PATCH] moved stage_user to POST with CSRF protection

---
 browserid/lib/wsapi.js                              |  6 +++---
 .../static/dialog/controllers/dialog_controller.js  | 13 ++++++++-----
 browserid/tests/registration-status-wsapi-test.js   |  4 ++--
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index c2761d5ad..a58a1e60f 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -63,12 +63,12 @@ function setup(app) {
    * this involves creating a secret url that must be delivered to the
    * user via their claimed email address.  Upon timeout expiry OR clickthrough
    * the staged user account transitions to a valid user account */
-  app.get('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
+  app.post('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
       
       // bcrypt the password
       // we should be cloning this object here.
-      var stageParams = req.query;
-      stageParams['hash'] = bcrypt.encrypt_sync(req.query.pass, bcrypt.gen_salt_sync(10));
+      var stageParams = req.body;
+      stageParams['hash'] = bcrypt.encrypt_sync(stageParams.pass, bcrypt.gen_salt_sync(10));
         
       try {
         // upon success, stage_user returns a secret (that'll get baked into a url
diff --git a/browserid/static/dialog/controllers/dialog_controller.js b/browserid/static/dialog/controllers/dialog_controller.js
index 8744d7238..05d273409 100644
--- a/browserid/static/dialog/controllers/dialog_controller.js
+++ b/browserid/static/dialog/controllers/dialog_controller.js
@@ -191,11 +191,14 @@ $.Controller("Dialog", {}, {
       var self = this;
 
       $.ajax({
-          url: '/wsapi/stage_user?email=' + encodeURIComponent(email)
-            + '&pass=' + encodeURIComponent(pass)
-            + '&pubkey=' + encodeURIComponent(keypair.pub)
-            + '&site=' + encodeURIComponent(this.remoteOrigin.replace(/^(http|https):\/\//, '')),
-            success: function() {
+          type: "post",
+          url: '/wsapi/stage_user',
+          data: {email: email,
+              pass: pass,
+              pubkey : keypair.pub,
+              site : this.remoteOrigin.replace(/^(http|https):\/\//, ''),
+              csrf : self.csrf},
+          success: function() {
             // account successfully staged, now wait for email confirmation
             self.doConfirmEmail(email, keypair);
           },
diff --git a/browserid/tests/registration-status-wsapi-test.js b/browserid/tests/registration-status-wsapi-test.js
index 96a0bdb8a..eec961955 100755
--- a/browserid/tests/registration-status-wsapi-test.js
+++ b/browserid/tests/registration-status-wsapi-test.js
@@ -31,7 +31,7 @@ suite.addBatch({
 // now start a registration
 suite.addBatch({
   "start registration": {
-    topic: wsapi.get('/wsapi/stage_user', {
+    topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
       pass: 'firstfakepass',
       pubkey: 'fakepubkey',
@@ -112,7 +112,7 @@ suite.addBatch({
 
 suite.addBatch({
   "re-registering an existing email": {
-    topic: wsapi.get('/wsapi/stage_user', {
+    topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
       pass: 'secondfakepass',
       pubkey: 'secondfakepubkey',
-- 
GitLab