Missing csrf protection on kitspace_auth endpoints

[kasbah]

It doesn't seem to be implemented. These endpoints should also be setting a new csrf token, one that only works for the newly logged in user, in their responses (and the frontend should replace the csrf it uses from then on).

[AbdulrhmnGhanem]

It doesn't seem to be implemented.

I think it's enabled by default for all POST endpoints

gitea/modules/context/auth.go

Lines 65 to 70 in 7e9ecfe

	if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
	Validate(ctx, ctx.csrf)
	if ctx.Written() {
	return
	}
	}

and disabled for specific routes by using ignSignInAndCsrf

gitea/routers/web/web.go

Line 220 in 7e9ecfe

ignSignInAndCsrf := context.Toggle(&context.ToggleOptions{DisableCSRF: true})

gitea/routers/web/web.go

Lines 346 to 351 in 7e9ecfe

	m.Group("/login/oauth", func() {
	m.Get("/authorize", bindIgnErr(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
	m.Post("/grant", bindIgnErr(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
	// TODO manage redirection
	m.Post("/authorize", bindIgnErr(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
	}, ignSignInAndCsrf, reqSignIn)

[AbdulrhmnGhanem]

Also, a new CSRF is set after a successful login

logged out	logged in