Generate and store CSRF token in the session

Signed-off-by: DL6ER <dl6er@dl6er.de>

patch/civetweb/0001-add-pihole-mods.patch

@@ -77,30 +77,10 @@ index 81f642be..ed360a76 100644
  CIVETWEB_API int
  mg_send_http_error(struct mg_connection *conn, int status, const char *fmt, ...)
  {
-@@ -10649,6 +10649,10 @@ parse_http_request(char *buf, int len, struct mg_request_info *ri)
- 	    NULL;
- 	ri->num_headers = 0;
- 
-+	/******************** Pi-hole modification ********************/
-+	strncpy(ri->raw_http_head, buf, sizeof(ri->raw_http_head));
-+	/**************************************************************/
-+
- 	/* RFC says that all initial whitespaces should be ignored */
- 	/* This included all leading \r and \n (isspace) */
- 	/* See table: http://www.cplusplus.com/reference/cctype/ */
 diff --git a/src/webserver/civetweb/civetweb.h b/src/webserver/civetweb/civetweb.h
 index 7ea45fb2..f879ff3e 100644
 --- a/src/webserver/civetweb/civetweb.h
 +++ b/src/webserver/civetweb/civetweb.h
-@@ -186,6 +186,8 @@ struct mg_request_info {
- 
- 	const char *acceptedWebSocketSubprotocol; /* websocket subprotocol,
- 	                                           * accepted during handshake */
-+	// Pi-hole modification
-+	char raw_http_head[16384];
- };
- 
- 
 @@ -963,6 +964,16 @@ CIVETWEB_API int mg_send_http_error(struct mg_connection *conn,
                                      PRINTF_FORMAT_STRING(const char *fmt),
                                      ...) PRINTF_ARGS(3, 4);

src/api/auth.c

@@ -40,8 +40,8 @@
 #define NETTLE_SIGN
 #endif
 
-// How many bits should the SID use?
-#define SID_BITSIZE 160
+// How many bits should the SID and CSRF token use?
+#define SID_BITSIZE 128
 #define SID_SIZE BASE64_ENCODE_RAW_LENGTH(SID_BITSIZE/8)
 
 // SameSite=Strict: Defense against some classes of cross-site request forgery
@@ -68,7 +68,8 @@ static struct {
 	char remote_addr[48]; // Large enough for IPv4 and IPv6 addresses, hard-coded in civetweb.h as mg_request_info.remote_addr
 	char user_agent[128];
 	char sid[SID_SIZE];
-} auth_data[API_MAX_CLIENTS] = {{false, {false, false}, 0, 0, {0}, {0}, {0}}};
+	char csrf[SID_SIZE];
+} auth_data[API_MAX_CLIENTS] = {{false, {false, false}, 0, 0, {0}, {0}, {0}, {0}}};
 
 // Can we validate this client?
 // Returns -1 if not authenticated or expired
@@ -190,6 +191,9 @@ int check_client_auth(struct ftl_conn *api)
 			return send_json_error(api, 500, "internal_error", "Internal server error", NULL);
 		}
 
+		// Copy CSRF token into request
+		strncpy((char*)api->request->csrf_token, auth_data[user_id].csrf, sizeof(api->request->csrf_token) - 1);
+
 		if(config.debug.api.v.b)
 		{
 			char timestr[128];
@@ -517,8 +521,9 @@ int api_auth(struct ftl_conn *api)
 				auth_data[i].tls.login = api->request->is_ssl;
 				auth_data[i].tls.mixed = false;
 
-				// Generate new SID
+				// Generate new SID and CSRF token
 				generateSID(auth_data[i].sid);
+				generateSID(auth_data[i].csrf);
 
 				user_id = i;
 				break;

src/webserver/civetweb/civetweb.c

@@ -10975,10 +10975,6 @@ parse_http_request(char *buf, int len, struct mg_request_info *ri)
 	    NULL;
 	ri->num_headers = 0;
 
-	/******************** Pi-hole modification ********************/
-	strncpy(ri->raw_http_head, buf, sizeof(ri->raw_http_head));
-	/**************************************************************/
-
 	/* RFC says that all initial whitespaces should be ignored */
 	/* This included all leading \r and \n (isspace) */
 	/* See table: http://www.cplusplus.com/reference/cctype/ */

src/webserver/civetweb/civetweb.h

@@ -183,8 +183,6 @@ struct mg_request_info {
 
 	const char *acceptedWebSocketSubprotocol; /* websocket subprotocol,
 	                                           * accepted during handshake */
-	// Pi-hole modification
-	char raw_http_head[16384];
 };