Closed jasonaowen closed 6 years ago
The javascript has been added. Test by going to login page, then restarting the app, and then attempting to login. Also can regression test by just logging in :)
Bonus points for logging in without javascript to see the invalid csrf token if you've restarted the app, or success if you haven't.
@frankduncan nicely done! :+1: (I can't approve my own PR, and I haven't tested it, anyway)
Please feel free to squash our changes together, and include the other author with Co-authored-by:
; I'd rather my WIP commit didn't get merged as-is!
Thanks for the review! I think I've handled everything :)
Fixed!
This is a very early and incomplete effort to fix the anti-CSRF tokens expiring on the login page.
From the Spring docs:
This implements the REST endpoint that provides such a token. I have not yet written the client-side JavaScript that overrides the default form behavior, fetches the token, and then includes it in the form submission; that would be necessary to complete this feature.
I open this in the hope that someone will be able to complete it, but I'm afraid it will not be me. If this is too partial to be useful, please close the PR.
Issue #1032 Prevent stale anti-CSRF tokens on login page