diff options
Diffstat (limited to 'www/login.pl')
| -rwxr-xr-x | www/login.pl | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/www/login.pl b/www/login.pl index fe1729d..5d27cbe 100755 --- a/www/login.pl +++ b/www/login.pl @@ -79,6 +79,14 @@ while (my $cgi = new CGI::Fast) { } when ('google') { my $code = $cgi->param('code') or die "Authorization code is missing."; + + # Validate CSRF token. + my $oauth_state = $cgi->param('state'); + my $csrf_token = read_cookie($cgi, 'mulkyid_csrf_token'); + unless ($csrf_token && $oauth_state && $csrf_token eq $oauth_state) { + die "CSRF token was forged!"; + } + my $oidc_client = OIDC::Lite::Client::WebServer->new( id => $::MULKONF->{'google_oauth2_client_id'}, secret => $::MULKONF->{'google_oauth2_client_secret'}, |