Add CSRF check into websockets This adds CSRF check into websockets to avoid attacks on websockets. Tested: Could no longer use crosssite scripting to open websocket. KVM and SOL still work once web-ui changes are updated Change-Id: I325079ae3d4db2701671564dff733e034d2670d6 Signed-off-by: James Feist <james.feist@linux.intel.com>

commit: f8aa3d2704d3897eb724dab9ac596af8b1f0e33e [log] [tgz]
author: James Feist <james.feist@linux.intel.com> Wed Apr 08 18:32:33 2020 -0700
committer: James Feist <james.feist@linux.intel.com> Wed Apr 15 16:17:29 2020 +0000
tree: c2e3a2017b70cae0c6e139276e91afda0fe9dfcc
parent: 043a05366c1fe54d7b9ef883292d0cd2d01c66b2 [diff]
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 4144705..8ff903a 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp

@@ -39,6 +39,7 @@
     std::string csrfToken;
     std::chrono::time_point<std::chrono::steady_clock> lastUpdated;
     PersistenceType persistence;
+    bool cookieAuth = false;
 
     /**
      * @brief Fills object with data from UserSession's JSON representation

diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index efa691c..aaa1325 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp

@@ -236,6 +236,7 @@
             }
         }
 #endif
+        session->cookieAuth = true;
         return session;
     }
commit	f8aa3d2704d3897eb724dab9ac596af8b1f0e33e	[log] [tgz]
author	James Feist <james.feist@linux.intel.com>	Wed Apr 08 18:32:33 2020 -0700
committer	James Feist <james.feist@linux.intel.com>	Wed Apr 15 16:17:29 2020 +0000
tree	c2e3a2017b70cae0c6e139276e91afda0fe9dfcc
parent	043a05366c1fe54d7b9ef883292d0cd2d01c66b2 [diff]