coyote/routes/user_settings.cpp

#include "routes.h"
#include "../hex.h"
#include "../config.h"
#include "../servehelper.h"
#include "../settings.h"
#include "../timeutils.h"
#include "../curlu_wrapper.h"
#include "../openssl_wrapper.h"

static inline std::string generate_csrf_token(void);
static inline bool validate_csrf_token(const httplib::Request& req, httplib::Response& res, std::string_view csrf_token, std::string_view query_csrf_token);
static void set_cookie(const httplib::Request& req, httplib::Response& res, const char* key, std::string_view value, bool session = false);
static bool safe_memcmp(const char* s1, const char* s2, size_t n);


void user_settings_route(const httplib::Request& req, httplib::Response& res) {
    UserSettings settings;
    Cookies cookies = parse_cookies(req);
    std::string csrf_token;

    if (req.method == "POST") {
        if (!cookies.contains("csrf-token")) {
            res.status = 400;
            serve_error(req, res, "400: Bad Request", "Missing CSRF token cookie, are cookies enabled?");
            return;
        }
        csrf_token = cookies["csrf-token"];

        auto query_csrf_token = req.params.find("csrf-token");
        if (query_csrf_token == req.params.end()) {
            res.status = 400;
            serve_error(req, res, "400: Bad Request", "Missing CSRF token query parameter");
            return;
        }

        if (!validate_csrf_token(req, res, csrf_token, query_csrf_token->second)) {
            return;
        }

        for (const auto& i : req.params) {
            settings.set(i.first, i.second);
        }

        set_cookie(req, res, "auto-open-cw", settings.auto_open_cw ? "true" : "false");
    } else {
        for (auto &[name, value] : cookies) {
            settings.set(name, value);
        }

        if (cookies.contains("csrf-token")) {
            csrf_token = cookies["csrf-token"];
        } else {
            csrf_token = generate_csrf_token();
            set_cookie(req, res, "csrf-token", csrf_token, true);
        }
    }

    Element auto_open_cw_checkbox("input", {{"type", "checkbox"}, {"name", "auto-open-cw"}, {"value", "true"}}, {});
    if (settings.auto_open_cw) {
        auto_open_cw_checkbox.attributes.push_back({"checked", ""});
    }

    Element body("body", {
        Element("form", {{"class", "user_settings_page-form"}, {"method", "post"}}, {
            Element("label", {
                std::move(auto_open_cw_checkbox),
                " Automatically open Content Warnings",
            }),

            Element("br"),
            Element("input", {{"type", "hidden"}, {"name", "csrf-token"}, {"value", csrf_token}}, {}),
            Element("input", {{"type", "submit"}, {"value", "Save"}}, {}),
        }),
        Element("form", {{"class", "user_settings_page-form"}, {"method", "get"}, {"action", get_origin(req)}}, {
            Element("input", {{"class", "cancel"}, {"type", "submit"}, {"value", "Cancel"}}, {}),
        }),
    });
    if (req.method == "POST") {
        body.nodes.insert(body.nodes.begin(), Element("div", {{"class", "success"}}, {
            Element("h3", {"Settings saved!"}),
        }));
    }

    serve(req, res, "User settings", std::move(body));
}


static inline std::string generate_csrf_token(void) {
    std::vector<char> raw_token = secure_random_bytes(32);
    std::array<char, 32> raw_token_hmac = hmac_sha3_256(config.hmac_key, raw_token);

    return hex_encode(raw_token) + '.' + hex_encode(raw_token_hmac.data(), raw_token_hmac.size());
}

static inline bool validate_csrf_token(const httplib::Request& req, httplib::Response& res, std::string_view csrf_token, std::string_view query_csrf_token) {
    if (csrf_token.size() != query_csrf_token.size() || !safe_memcmp(csrf_token.data(), query_csrf_token.data(), csrf_token.size())) {
        res.status = 400;
        serve_error(req, res, "400: Bad Request", "CSRF token cookie and CSRF token query parameter do not match");
        return false;
    }

    if (csrf_token.size() != 64 + 1 + 64 || csrf_token[64] != '.') {
        res.status = 400;
        serve_error(req, res, "400: Bad Request", "CSRF token is in an unknown format");
        return false;
    }

    std::vector<char> raw_token, raw_token_hmac;
    try {
        raw_token = hex_decode(csrf_token.substr(0, 64));
        raw_token_hmac = hex_decode(csrf_token.substr(64 + 1, 64));
    } catch (const std::exception& e) {
        res.status = 400;
        serve_error(req, res, "400: Bad Request", "Failed to parse CSRF token", e.what());
        return false;
    }

    std::array<char, 32> our_raw_token_hmac = hmac_sha3_256(config.hmac_key, raw_token);
    if (!safe_memcmp(raw_token_hmac.data(), our_raw_token_hmac.data(), 32)) {
        res.status = 400;
        serve_error(req, res, "400: Bad Request", "CSRF token HMAC is not correct");
        return false;
    }

    return true;
}

static void set_cookie(const httplib::Request& req, httplib::Response& res, const char* key, std::string_view value, bool session) {
    CurlUrl origin;
    origin.set(CURLUPART_URL, get_origin(req));

    std::string header = std::string(key) + '=' + std::string(value)
        + "; HttpOnly; SameSite=Lax; Domain=" + origin.get(CURLUPART_HOST).get() + "; Path=" + origin.get(CURLUPART_PATH).get();
    if (!session) {
        header += "; Expires=";
        header += to_web_date(current_time() + 365 * 24 * 60 * 60);
    }
    if (strcmp(origin.get(CURLUPART_SCHEME).get(), "https") == 0) {
        header += "; Secure";
    }

    res.set_header("Set-Cookie", header);
}

static bool safe_memcmp(const char* s1, const char* s2, size_t n) {
    bool equal = true;

    for (size_t i = 0; i < n; i++) {
        equal &= s1[i] == s2[i];
    }

    return equal;
}
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`#include "routes.h"`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`#include "../hex.h"`
			`#include "../config.h"`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`#include "../servehelper.h"`
			`#include "../settings.h"`
			`#include "../timeutils.h"`
			`#include "../curlu_wrapper.h"`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`#include "../openssl_wrapper.h"`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00
Add CSRF protection 2023-12-08 11:27:27 +00:00			`static inline std::string generate_csrf_token(void);`
			`static inline bool validate_csrf_token(const httplib::Request& req, httplib::Response& res, std::string_view csrf_token, std::string_view query_csrf_token);`
			`static void set_cookie(const httplib::Request& req, httplib::Response& res, const char* key, std::string_view value, bool session = false);`
			`static bool safe_memcmp(const char* s1, const char* s2, size_t n);`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00

			`void user_settings_route(const httplib::Request& req, httplib::Response& res) {`
			`UserSettings settings;`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`Cookies cookies = parse_cookies(req);`
			`std::string csrf_token;`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00
			`if (req.method == "POST") {`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`if (!cookies.contains("csrf-token")) {`
			`res.status = 400;`
			`serve_error(req, res, "400: Bad Request", "Missing CSRF token cookie, are cookies enabled?");`
			`return;`
			`}`
			`csrf_token = cookies["csrf-token"];`

			`auto query_csrf_token = req.params.find("csrf-token");`
			`if (query_csrf_token == req.params.end()) {`
			`res.status = 400;`
			`serve_error(req, res, "400: Bad Request", "Missing CSRF token query parameter");`
			`return;`
			`}`

			`if (!validate_csrf_token(req, res, csrf_token, query_csrf_token->second)) {`
			`return;`
			`}`

Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`for (const auto& i : req.params) {`
			`settings.set(i.first, i.second);`
			`}`

			`set_cookie(req, res, "auto-open-cw", settings.auto_open_cw ? "true" : "false");`
			`} else {`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`for (auto &[name, value] : cookies) {`
			`settings.set(name, value);`
			`}`

			`if (cookies.contains("csrf-token")) {`
			`csrf_token = cookies["csrf-token"];`
			`} else {`
			`csrf_token = generate_csrf_token();`
			`set_cookie(req, res, "csrf-token", csrf_token, true);`
			`}`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`}`

			`Element auto_open_cw_checkbox("input", {{"type", "checkbox"}, {"name", "auto-open-cw"}, {"value", "true"}}, {});`
			`if (settings.auto_open_cw) {`
			`auto_open_cw_checkbox.attributes.push_back({"checked", ""});`
			`}`

			`Element body("body", {`
			`Element("form", {{"class", "user_settings_page-form"}, {"method", "post"}}, {`
			`Element("label", {`
			`std::move(auto_open_cw_checkbox),`
			`" Automatically open Content Warnings",`
			`}),`

			`Element("br"),`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`Element("input", {{"type", "hidden"}, {"name", "csrf-token"}, {"value", csrf_token}}, {}),`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`Element("input", {{"type", "submit"}, {"value", "Save"}}, {}),`
			`}),`
			`Element("form", {{"class", "user_settings_page-form"}, {"method", "get"}, {"action", get_origin(req)}}, {`
			`Element("input", {{"class", "cancel"}, {"type", "submit"}, {"value", "Cancel"}}, {}),`
			`}),`
			`});`
			`if (req.method == "POST") {`
			`body.nodes.insert(body.nodes.begin(), Element("div", {{"class", "success"}}, {`
			`Element("h3", {"Settings saved!"}),`
			`}));`
			`}`

			`serve(req, res, "User settings", std::move(body));`
			`}`


Add CSRF protection 2023-12-08 11:27:27 +00:00			`static inline std::string generate_csrf_token(void) {`
			`std::vector<char> raw_token = secure_random_bytes(32);`
			`std::array<char, 32> raw_token_hmac = hmac_sha3_256(config.hmac_key, raw_token);`

			`return hex_encode(raw_token) + '.' + hex_encode(raw_token_hmac.data(), raw_token_hmac.size());`
			`}`

			`static inline bool validate_csrf_token(const httplib::Request& req, httplib::Response& res, std::string_view csrf_token, std::string_view query_csrf_token) {`
			`if (csrf_token.size() != query_csrf_token.size() \|\| !safe_memcmp(csrf_token.data(), query_csrf_token.data(), csrf_token.size())) {`
			`res.status = 400;`
			`serve_error(req, res, "400: Bad Request", "CSRF token cookie and CSRF token query parameter do not match");`
			`return false;`
			`}`

			`if (csrf_token.size() != 64 + 1 + 64 \|\| csrf_token[64] != '.') {`
			`res.status = 400;`
			`serve_error(req, res, "400: Bad Request", "CSRF token is in an unknown format");`
			`return false;`
			`}`

			`std::vector<char> raw_token, raw_token_hmac;`
			`try {`
			`raw_token = hex_decode(csrf_token.substr(0, 64));`
			`raw_token_hmac = hex_decode(csrf_token.substr(64 + 1, 64));`
			`} catch (const std::exception& e) {`
			`res.status = 400;`
			`serve_error(req, res, "400: Bad Request", "Failed to parse CSRF token", e.what());`
			`return false;`
			`}`

			`std::array<char, 32> our_raw_token_hmac = hmac_sha3_256(config.hmac_key, raw_token);`
			`if (!safe_memcmp(raw_token_hmac.data(), our_raw_token_hmac.data(), 32)) {`
			`res.status = 400;`
			`serve_error(req, res, "400: Bad Request", "CSRF token HMAC is not correct");`
			`return false;`
			`}`

			`return true;`
			`}`

			`static void set_cookie(const httplib::Request& req, httplib::Response& res, const char* key, std::string_view value, bool session) {`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`CurlUrl origin;`
			`origin.set(CURLUPART_URL, get_origin(req));`

			`std::string header = std::string(key) + '=' + std::string(value)`
Add CSRF protection 2023-12-08 11:27:27 +00:00			`+ "; HttpOnly; SameSite=Lax; Domain=" + origin.get(CURLUPART_HOST).get() + "; Path=" + origin.get(CURLUPART_PATH).get();`
			`if (!session) {`
			`header += "; Expires=";`
			`header += to_web_date(current_time() + 365 * 24 * 60 * 60);`
			`}`
Add the option to automatically open content warnings 2023-11-30 05:33:17 +00:00			`if (strcmp(origin.get(CURLUPART_SCHEME).get(), "https") == 0) {`
			`header += "; Secure";`
			`}`

			`res.set_header("Set-Cookie", header);`
			`}`
Add CSRF protection 2023-12-08 11:27:27 +00:00
			`static bool safe_memcmp(const char* s1, const char* s2, size_t n) {`
			`bool equal = true;`

			`for (size_t i = 0; i < n; i++) {`
			`equal &= s1[i] == s2[i];`
			`}`

			`return equal;`
			`}`