Fix invalid CSRF token bug, make sure CSRF tokens can be up-to-date (#19338)

wxiaoguang · web-flow · commit 57c2ca7f26a7 · 2022-04-06T23:47:58.000+08:00
There was a bug that the CSRF token wouldn't in 24h. This fix just does what the CSRF function comment says: If this request is a GET request, it will generate a new token. Then the CSRF token can be kept up-to-date.
diff --git a/modules/context/csrf.go b/modules/context/csrf.go
@@ -229,6 +229,7 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
 		}
 	}
 
+	needsNew = needsNew || ctx.Req.Method == "GET" // If this request is a Get request, it will generate a new token, make sure the token is always up-to-date.
 	if needsNew {
 		// FIXME: actionId.
 		x.Token = GenerateToken(x.Secret, x.ID, "POST")

Original file line number	Diff line number	Diff line change
`@@ -229,6 +229,7 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {`
`229`	`229`	`}`
`230`	`230`	`}`
`231`	`231`
	`232`	`+ needsNew = needsNew \|\| ctx.Req.Method == "GET" // If this request is a Get request, it will generate a new token, make sure the token is always up-to-date.`
`232`	`233`	`if needsNew {`
`233`	`234`	`// FIXME: actionId.`
`234`	`235`	`x.Token = GenerateToken(x.Secret, x.ID, "POST")`