add csrf token, fix scopes

josxha · Dec 6, 2023 · e220a59 · e220a59
1 parent e6b9d9f
commit e220a59
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/KratosSelfService/Controllers/OAuth2Controller.cs b/KratosSelfService/Controllers/OAuth2Controller.cs
@@ -44,8 +44,10 @@ public async Task<IActionResult> ConsentGet([FromQuery(Name = "consent_challenge
     }
 
     [HttpPost("consent")]
-    public async Task<IActionResult> ConsentPost([FromForm] string challenge, [FromForm] bool remember,
-        [FromForm(Name = "grant_scope")] string grantScopes, [FromForm] string action)
+    [ValidateAntiForgeryToken]
+    public async Task<IActionResult> ConsentPost([FromForm(Name = "consent_challenge")] string challenge,
+        [FromForm] bool remember,
+        [FromForm(Name = "grant_scope")] List<string> grantScopes, [FromForm] string action)
     {
         if (env.HydraAdminUrl == null) return NotFound();
         var oAuth2Api = api.HydraOAuth2!;
@@ -74,15 +76,14 @@ public async Task<IActionResult> ConsentPost([FromForm] string challenge, [FromF
         logger.LogDebug("Consent request was accepted by the user");
         var consentRequest = await oAuth2Api.GetOAuth2ConsentRequestAsync(challenge);
 
-        var scopes = grantScopes.Split(",").ToList();
         var session = new HydraAcceptOAuth2ConsentRequestSession();
 
         var acceptRequest = await oAuth2Api.AcceptOAuth2ConsentRequestAsync(challenge,
             new HydraAcceptOAuth2ConsentRequest
             {
                 // We can grant all scopes that have been requested - hydra already checked for us that no
                 // additional scopes are requested accidentally.
-                GrantScope = scopes,
+                GrantScope = grantScopes,
                 // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
                 // the app is built for the automated OpenID Connect Conformity Test Suite. You
                 // can peak inside the code for some ideas, but be aware that all data is fake

diff --git a/KratosSelfService/Views/OAuth2/Consent.cshtml b/KratosSelfService/Views/OAuth2/Consent.cshtml
@@ -7,19 +7,26 @@
 }
 
 <form class="section" action="consent" method="post">
-    <input type="hidden" name="challenge" value="@Model.request.Challenge">
-    <input type="hidden" name="_csrf" value="">
+    @Html.AntiForgeryToken()
+    <input type="hidden" name="consent_challenge" value="@Model.request.Challenge">
     <h1 class="title">An application wants to access your Account details</h1>
     <h2 class="subtitle pt-2">These information will be accessible by @clientName:</h2>
     <nav>
-        @foreach (var scopeItem in Model.request.RequestedScope)
-        {
-            <li>@scopeItem</li>
-        }
+        <fieldset>
+            @foreach (var scopeItem in Model.request.RequestedScope)
+            {
+                <div class="is-fullwidth pt-2 pb-2">
+                    <label class="label">
+                        <input type="checkbox" name="grant_scope" checked value="@scopeItem">
+                        @scopeItem
+                    </label>
+                </div>
+            }
+        </fieldset>
     </nav>
 
     <div class="pt-5">
-        <label class="label">
+        <label>
             <input type="checkbox" name="remember" value="1">
             Don't ask me again for this application
         </label>