From ab151cb732b2ff20f4588f9f0558f65c3174a13e Mon Sep 17 00:00:00 2001
From: Wolvan <wolvan1@gmail.com>
Date: Wed, 12 Jan 2022 19:46:45 +0100
Subject: [PATCH] Use CSRF token to discourage botting

A suggestion to avoid stupid bots to vote on polls was a token that gets
checked to a session cookie on vote submission.
---
 frontend/html/poll.html |  1 +
 src/backend.ts          | 14 ++++++++++++++
 src/frontend.ts         |  7 +++++++
 3 files changed, 22 insertions(+)

diff --git a/frontend/html/poll.html b/frontend/html/poll.html
index 8ee9f65..ca51be6 100644
--- a/frontend/html/poll.html
+++ b/frontend/html/poll.html
@@ -36,6 +36,7 @@
         <section class="notepad">
             <div class="notepad-border"></div>
             <form action="{{ BACKEND_BASE_PATH }}/_backend/vote-form/{{ POLL_ID }}" method="POST">
+                <input type="hidden" name="csrf_token" value="{{ CSRF_TOKEN }}">
                 <section class="poll-title">
                     {{ POLL_TITLE }}
                 </section>
diff --git a/src/backend.ts b/src/backend.ts
index 0ce5e8c..de9acdb 100644
--- a/src/backend.ts
+++ b/src/backend.ts
@@ -4,6 +4,7 @@ import { CookieOptions, Router } from "express";
 import { BackendPoll as Poll, DupeCheckMode } from "./Poll";
 import { MAX_POLL_OPTIONS, MAX_CHARACTER_LENGTH } from "./Config";
 import Storage from "./Storage";
+import crypto from "crypto";
 
 function randomString(length = 10, charset = "abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789") {
     let result = "";
@@ -213,12 +214,25 @@ export default async function init(router: Router, polls: Storage): Promise<void
             const id = req.params.id;
             const votes = [].concat(req.body["poll-option"]);
 
+            const csrfTokenFromForm = req.body["csrf_token"];
+            const csrfTokenFromCookie = req.cookies.csrftoken;
+
+            if (csrfTokenFromForm !== csrfTokenFromCookie) return res.redirect(`/${id}?error=${
+                encodeURIComponent("Invalid CSRF token")
+            }&options=${
+                encodeURIComponent(votes.slice(0, MAX_POLL_OPTIONS).join("\uFFFE"))
+            }`);
+
             const error = await voteOnPoll(id, votes, {
                 ip: req.headers["x-forwarded-for"] as string || req.socket.remoteAddress || "",
                 setCookie: res.cookie.bind(res),
                 cookies: req.cookies
             });
 
+            res.cookie("csrftoken", crypto.randomBytes(32).toString("base64"), {
+                httpOnly: true,
+            });
+
             if (!error) return res.redirect("/" + id + "/r");
             if (error.statusCode === 404) return res.redirect("/");
             res.redirect(`/${id}?error=${
diff --git a/src/frontend.ts b/src/frontend.ts
index c5c0d7e..d7cb397 100644
--- a/src/frontend.ts
+++ b/src/frontend.ts
@@ -7,6 +7,7 @@ import fetch from 'node-fetch';
 import { program } from "commander";
 import { FrontendPoll as Poll, PollResult } from "./Poll";
 import { MAX_CHARACTER_LENGTH, MAX_POLL_OPTIONS } from "./Config";
+import crypto from "crypto";
 
 const RenderBuffer = new WeakMap();
 const RenderReplacements = new WeakMap();
@@ -158,7 +159,13 @@ export default function init(router: Router): void {
                 </div>`
             ).join("");
 
+            const csrfToken = req.cookies.csrftoken || crypto.randomBytes(32).toString("base64");
+            res.cookie("csrftoken", csrfToken, {
+                httpOnly: true,
+            });
+
             await displayPage(req, res, "poll.html", {
+                "CSRF_TOKEN": csrfToken,
                 "POLL_ID": poll.id,
                 "POLL_TITLE": xss(poll.title),
                 "POLL_OPTION_DIVS": pollOptions,