From c2ce595ea3ac900b9d0e4782632fd2ecf0d169d5 Mon Sep 17 00:00:00 2001
From: Zlatin Balevsky <zlatinb@gmail.com>
Date: Sat, 16 May 2020 06:27:03 +0100
Subject: [PATCH] use synchronizer tokens.  Thanks anonymousmaybe for the
 analysis

---
 grails-app/views/login/challenge.gsp             |  2 +-
 grails-app/views/login/index.gsp                 |  2 +-
 .../ChallengeResponseAuthenticationFilter.groovy | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/grails-app/views/login/challenge.gsp b/grails-app/views/login/challenge.gsp
index f157a1c..6eecdbc 100644
--- a/grails-app/views/login/challenge.gsp
+++ b/grails-app/views/login/challenge.gsp
@@ -9,7 +9,7 @@
         Prove that you are <span class="short-id">${shortID}</span><br/>
         Sign the following challenge:<br>
         <div class="challenge">${challenge}</div>
-        <g:form>
+        <g:form useToken="true">
             <g:textField name="response"/><br/>
             <input type="checkbox" name="remember-me" <g:if test="${hasCookie}">checked</g:if> /> Remember me</br>
             <g:actionSubmit value="Submit" action="submitresponse"/>
diff --git a/grails-app/views/login/index.gsp b/grails-app/views/login/index.gsp
index 02f7d8d..d9af28a 100644
--- a/grails-app/views/login/index.gsp
+++ b/grails-app/views/login/index.gsp
@@ -11,7 +11,7 @@
 
 		<center>
         <h3>Copy-paste your full MuWire ID</h3>
-        <g:form>
+        <g:form useToken="true">
             <g:textArea name="personaB64" rows="10" cols="60"/>
             <br/>
             <g:actionSubmit value="submit" action="submituser" />
diff --git a/src/main/groovy/com/muwire/mucats/security/ChallengeResponseAuthenticationFilter.groovy b/src/main/groovy/com/muwire/mucats/security/ChallengeResponseAuthenticationFilter.groovy
index 49e907c..88b7cb7 100644
--- a/src/main/groovy/com/muwire/mucats/security/ChallengeResponseAuthenticationFilter.groovy
+++ b/src/main/groovy/com/muwire/mucats/security/ChallengeResponseAuthenticationFilter.groovy
@@ -6,6 +6,7 @@ import javax.servlet.http.HttpServletRequest
 import javax.servlet.http.HttpServletResponse
 import javax.servlet.http.HttpSession
 
+import org.grails.web.servlet.mvc.SynchronizerTokensHolder
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.AuthenticationException
@@ -27,6 +28,21 @@ class ChallengeResponseAuthenticationFilter extends AbstractAuthenticationProces
     throws AuthenticationException, IOException, ServletException {
 
         HttpSession session = request.getSession()
+        SynchronizerTokensHolder tokensHolder = session.getAttribute("SYNCHRONIZER_TOKENS_HOLDER")
+        if (!tokensHolder)
+            throw new AuthenticationException("inconsistent session") {}
+        String url = request.getParameter("SYNCHRONIZER_URI")
+        String token = request.getParameter("SYNCHRONIZER_TOKEN")
+        boolean valid = false
+        if (url && token) {
+            valid = tokensHolder.isValid(url, token)
+            tokensHolder.resetToken(url,token)
+        }
+        
+        if (!valid) {
+            response.sendError(403,"Duplicate form submission")
+            return null
+        }
         
         String personaB64 = request.getParameter("personaB64")
         if (personaB64 != null) {