Fix issue where password reset form sends password as a GET parameter.

2025-09-23 17:59:06 +00:00 · 2021-12-03 21:54:30 -05:00 · 2021-12-03 21:54:30 -05:00 · fbcf0eafa7
commit fbcf0eafa7
parent de897d01d9
2 changed files with 41 additions and 14 deletions
--- a/ProjectLighthouse/Pages/PasswordResetPage.cshtml
+++ b/ProjectLighthouse/Pages/PasswordResetPage.cshtml
@ -20,7 +20,19 @@
    }
 </script>
                                    
-<form onsubmit="return onSubmit(this)">
+@if (!string.IsNullOrWhiteSpace(Model.Error))
+{
+    <div class="ui negative message">
+        <div class="header">
+            Uh oh!
+        </div>    
+        <p>@Model.Error</p>
+    </div>
+}
+
+<form onsubmit="return onSubmit(this)" method="post">
+    @Html.AntiForgeryToken()
+
    <div class="ui left labeled input">
        <label for="password" class="ui blue label">Password: </label>
        <input type="password" name="password" id="password">
--- a/ProjectLighthouse/Pages/PasswordResetPage.cshtml.cs
+++ b/ProjectLighthouse/Pages/PasswordResetPage.cshtml.cs
@ -1,5 +1,6 @@
 #nullable enable
 using System.Threading.Tasks;
+using JetBrains.Annotations;
 using LBPUnion.ProjectLighthouse.Helpers;
 using LBPUnion.ProjectLighthouse.Pages.Layouts;
 using LBPUnion.ProjectLighthouse.Types;
@ -12,17 +13,26 @@ namespace LBPUnion.ProjectLighthouse.Pages
        public PasswordResetPage(Database database) : base(database)
        {}

-        public bool WasResetRequest { get; private set; }
-        public async Task<IActionResult> OnGet([FromQuery] string password, [FromQuery] string confirmPassword)
+
+        public string Error { get; private set; }
+
+        [UsedImplicitly]
+        public async Task<IActionResult> OnPost(string password, string confirmPassword)
        {
            User? user = this.Database.UserFromWebRequest(this.Request);
            if (user == null) return this.Redirect("~/login");

-            this.WasResetRequest = !string.IsNullOrEmpty(password) && !string.IsNullOrEmpty(confirmPassword);
-
-            if (this.WasResetRequest)
+            if (string.IsNullOrWhiteSpace(password))
            {
-                if (password != confirmPassword) return this.BadRequest();
+                this.Error = "The password field is required.";
+                return this.Page();
+            }
+
+            if (password != confirmPassword)
+            {
+                this.Error = "Passwords do not match!";
+                return this.Page();
+            }

            user.Password = HashHelper.BCryptHash(password);
            user.PasswordResetRequired = false;
@ -32,6 +42,11 @@ namespace LBPUnion.ProjectLighthouse.Pages
            return this.Redirect("~/");
        }

+        [UsedImplicitly]
+        public IActionResult OnGet()
+        {
+            User? user = this.Database.UserFromWebRequest(this.Request);
+            if (user == null) return this.Redirect("~/login");
            return this.Page();
        }
    }