From 9e51de6c8e78bdc149cd0f15e678d653f0c4ab6d Mon Sep 17 00:00:00 2001
From: Robin Malley <rmalley@cock.li>
Date: Fri, 9 Apr 2021 19:16:36 +0000
Subject: [PATCH] Fix CSRF

Domain name was hardcoded, use the config file instead.
---
 src/lua/endpoints/login_post.lua | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lua/endpoints/login_post.lua b/src/lua/endpoints/login_post.lua
index 5647119..c8b7264 100644
--- a/src/lua/endpoints/login_post.lua
+++ b/src/lua/endpoints/login_post.lua
@@ -35,8 +35,9 @@ local function login_post(req)
 		local hash = sha3(todigest)
 		if hash == passhash then
 			local mysession = session.start(id)
+			local domain_no_port = config.domain:match("(.*):.*")
 			http_response_header(req,"set-cookie",string.format(
-				[[session=%s; SameSite=Lax; Path=/; Domain=test.monster; HttpOnly; Secure]],mysession
+				[[session=%s; SameSite=Lax; Path=/; Domain=%s; HttpOnly; Secure]],mysession,domain_no_port
 			))
 			local loc = string.format("https://%s.%s",name,config.domain)
 			http_response_header(req,"Location",loc)