From 2da3c41da82eb945832f22bb70dba567ac6ce969 Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian@squidex.io>
Date: Sat, 28 Jan 2023 19:05:47 +0100
Subject: [PATCH] Antiforgery for profile pages.

---
 .../Controllers/Account/AccountController.cs   |  1 +
 .../Controllers/Profile/ProfileController.cs   |  1 +
 .../Controllers/Setup/SetupController.cs       |  1 +
 .../Views/Account/Consent.cshtml               |  2 ++
 .../IdentityServer/Views/Account/Login.cshtml  |  4 ++++
 .../Views/Profile/Profile.cshtml               | 18 +++++++++++++++++-
 .../IdentityServer/Views/Setup/Setup.cshtml    |  2 ++
 .../contents/content-list-cell.directive.ts    |  2 +-
 .../contents/content-list-field.component.html |  2 +-
 9 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
index aca33f5e2d..a3a85c9f88 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
@@ -19,6 +19,7 @@
 
 namespace Squidex.Areas.IdentityServer.Controllers.Account;
 
+[AutoValidateAntiforgeryToken]
 public sealed class AccountController : IdentityServerController
 {
     private readonly IUserService userService;
diff --git a/backend/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileController.cs b/backend/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileController.cs
index 45c7c2e80a..b71f50b30b 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileController.cs
@@ -25,6 +25,7 @@
 namespace Squidex.Areas.IdentityServer.Controllers.Profile;
 
 [Authorize]
+[AutoValidateAntiforgeryToken]
 public sealed class ProfileController : IdentityServerController
 {
     private readonly IUserPictureStore userPictureStore;
diff --git a/backend/src/Squidex/Areas/IdentityServer/Controllers/Setup/SetupController.cs b/backend/src/Squidex/Areas/IdentityServer/Controllers/Setup/SetupController.cs
index 5287099ddd..72359170b5 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Setup/SetupController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Setup/SetupController.cs
@@ -21,6 +21,7 @@
 
 namespace Squidex.Areas.IdentityServer.Controllers.Setup;
 
+[AutoValidateAntiforgeryToken]
 public class SetupController : IdentityServerController
 {
     private readonly IAssetStore assetStore;
diff --git a/backend/src/Squidex/Areas/IdentityServer/Views/Account/Consent.cshtml b/backend/src/Squidex/Areas/IdentityServer/Views/Account/Consent.cshtml
index acc02cf783..e28922603b 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Views/Account/Consent.cshtml
+++ b/backend/src/Squidex/Areas/IdentityServer/Views/Account/Consent.cshtml
@@ -12,6 +12,8 @@
 }
 
 <form asp-controller="Account" asp-action="Consent" asp-route-returnurl="@Model!.ReturnUrl" method="post">
+    @Html.AntiForgeryToken()
+
     <h2>@T.Get("users.consent.headline")</h2>
         
     <label for="consentToAutomatedEmails">
diff --git a/backend/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml b/backend/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml
index 956ab25864..04527ee7ec 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml
+++ b/backend/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml
@@ -31,6 +31,8 @@
     </div>
 
     <form asp-controller="Account" asp-action="External" asp-route-returnurl="@Model!.ReturnUrl" method="post">
+        @Html.AntiForgeryToken()
+
         @foreach (var provider in Model!.ExternalProviders)
         {
             var schema = provider.AuthenticationScheme.ToLowerInvariant();
@@ -60,6 +62,8 @@
             }
 
             <form asp-controller="Account" asp-action="Login" asp-route-returnurl="@Model!.ReturnUrl" method="post">
+                @Html.AntiForgeryToken()
+
                 <div class="form-group">
                     <input type="email" class="form-control" name="email" id="email" placeholder="@T.Get("users.login.emailPlaceholder")" />
                 </div>
diff --git a/backend/src/Squidex/Areas/IdentityServer/Views/Profile/Profile.cshtml b/backend/src/Squidex/Areas/IdentityServer/Views/Profile/Profile.cshtml
index 7037481206..12b2933fa2 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Views/Profile/Profile.cshtml
+++ b/backend/src/Squidex/Areas/IdentityServer/Views/Profile/Profile.cshtml
@@ -38,6 +38,8 @@
     </div>
     <div class="col">
         <form id="pictureForm" class="profile-picture-form" asp-controller="Profile" asp-action="UploadPicture" method="post" enctype="multipart/form-data">
+            @Html.AntiForgeryToken()
+
             <span class="btn btn-secondary" id="pictureButton">
                 <span>@T.Get("users.profile.uploadPicture")</span>
 
@@ -48,6 +50,8 @@
 </div>
 
 <form class="profile-form profile-section" asp-controller="Profile" asp-action="UpdateProfile" method="post">
+    @Html.AntiForgeryToken()
+
     <div class="form-group">
         <label for="email">@T.Get("common.email")</label>
 
@@ -101,6 +105,8 @@
                         @if (Model!.ExternalLogins.Count > 1 || Model!.HasPassword)
                         {
                             <form asp-controller="Profile" asp-action="RemoveLogin" method="post">
+                                @Html.AntiForgeryToken()
+
                                 <input type="hidden" value="@login.LoginProvider" name="LoginProvider" />
                                 <input type="hidden" value="@login.ProviderKey" name="ProviderKey" />
 
@@ -115,6 +121,8 @@
         </table>
 
         <form asp-controller="Profile" asp-action="AddLogin" method="post">
+            @Html.AntiForgeryToken()
+
             @foreach (var provider in Model!.ExternalProviders.Where(x => Model!.ExternalLogins.All(y => x.AuthenticationScheme != y.LoginProvider)))
             {
                 var schema = provider.AuthenticationScheme.ToLowerInvariant();
@@ -134,9 +142,11 @@
     <div class="profile-section">
         <h2>@T.Get("users.profile.passwordTitle")</h2>
 
-       @if (Model!.HasPassword)
+        @if (Model!.HasPassword)
         {
             <form class="profile-form" asp-controller="Profile" asp-action="ChangePassword" method="post">
+                @Html.AntiForgeryToken()
+
                 <div class="form-group">
                     <label for="oldPassword">@T.Get("common.oldPassword")</label>
 
@@ -169,6 +179,8 @@
         else
         {
             <form class="profile-form" asp-controller="Profile" asp-action="SetPassword" method="post">
+                @Html.AntiForgeryToken()
+
                 <div class="form-group">
                     <label for="password">@T.Get("common.password")</label>
 
@@ -217,6 +229,8 @@
             <label for="generate">&nbsp;</label>
 
             <form class="profile-form" asp-controller="Profile" asp-action="GenerateClientSecret" method="post">
+                @Html.AntiForgeryToken()
+
                 <button type="submit" class="btn btn-success btn-block" id="generate">@T.Get("users.profile.generateClient")</button>
             </form>
         </div>
@@ -231,6 +245,8 @@
     <small class="form-text text-muted mt-2 mb-2">@T.Get("users.profile.propertiesHint")</small>
 
     <form class="profile-form" asp-controller="Profile" asp-action="UpdateProperties" method="post">
+        @Html.AntiForgeryToken()
+
         <div class="mb-2" id="properties">
             @for (var i = 0; i < Model!.Properties.Count; i++)
             {
diff --git a/backend/src/Squidex/Areas/IdentityServer/Views/Setup/Setup.cshtml b/backend/src/Squidex/Areas/IdentityServer/Views/Setup/Setup.cshtml
index eb6b6b95cf..65e311e852 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Views/Setup/Setup.cshtml
+++ b/backend/src/Squidex/Areas/IdentityServer/Views/Setup/Setup.cshtml
@@ -160,6 +160,8 @@
         }
 
         <form class="profile-form" asp-controller="Setup" asp-action="Setup" method="post">
+            @Html.AntiForgeryToken()
+
             <div class="form-group">
                 <label for="email">@T.Get("common.email")</label>
 
diff --git a/frontend/src/app/shared/components/contents/content-list-cell.directive.ts b/frontend/src/app/shared/components/contents/content-list-cell.directive.ts
index b61e2df8c3..4bfb5f14af 100644
--- a/frontend/src/app/shared/components/contents/content-list-cell.directive.ts
+++ b/frontend/src/app/shared/components/contents/content-list-cell.directive.ts
@@ -36,7 +36,7 @@ export function getCellWidth(field: TableField, sizes: FieldSizes | undefined |
         case META_FIELDS.statusNext:
             return 240;
         case META_FIELDS.statusColor:
-            return 50;
+            return 80;
         case META_FIELDS.version:
             return 80;
         default:
diff --git a/frontend/src/app/shared/components/contents/content-list-field.component.html b/frontend/src/app/shared/components/contents/content-list-field.component.html
index 7122d94d03..a806453ca6 100644
--- a/frontend/src/app/shared/components/contents/content-list-field.component.html
+++ b/frontend/src/app/shared/components/contents/content-list-field.component.html
@@ -82,7 +82,7 @@
     </ng-container>
     <ng-container *ngSwitchCase="metaFields.statusColor">
         <ng-container *ngIf="content.newStatus; else singleStatus">
-            <span class="text-nowrap">
+            <span class="text-nowrap truncate">
                 <sqx-content-status
                     [status]="content.status"
                     [statusColor]="content.statusColor">