From 3eb392cb6a37aa16f854685c1b12cf0684333d72 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 19 May 2025 10:50:11 -0400
Subject: [PATCH] fixup

---
 submit.yml.erb         | 5 +++++
 template/before.sh.erb | 3 +++
 template/bin/auth      | 4 ++--
 template/script.sh.erb | 4 +++-
 view.html.erb          | 4 ++++
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/submit.yml.erb b/submit.yml.erb
index c7eb4cd..0533548 100644
--- a/submit.yml.erb
+++ b/submit.yml.erb
@@ -1,3 +1,8 @@
 ---
 batch_connect:
   template: "basic"
+  conn_params:
+    - host
+    - port
+    - password
+    - csrf_token
diff --git a/template/before.sh.erb b/template/before.sh.erb
index 2c4920e..d26eb34 100755
--- a/template/before.sh.erb
+++ b/template/before.sh.erb
@@ -7,3 +7,6 @@ port=$(find_port ${host})
 # Define a password and export it for RStudio authentication
 password="$(create_passwd 16)"
 export RSTUDIO_PASSWORD="${password}"
+
+# Define a CSRF (cross site request forgery) token to be added to HTML form and cookie
+csrf_token="$(create_passwd 32)"
diff --git a/template/bin/auth b/template/bin/auth
index 1695a43..3dbaa46 100755
--- a/template/bin/auth
+++ b/template/bin/auth
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-# Confirm username is supplied
-if [[ $# -ne 1 ]]; then
+# Confirm username is supplied. All other args are ignored
+if [[ $# -le 1 ]]; then
   echo "Usage: auth USERNAME"
   exit 1
 fi
diff --git a/template/script.sh.erb b/template/script.sh.erb
index 45b91b8..9cc3235 100755
--- a/template/script.sh.erb
+++ b/template/script.sh.erb
@@ -46,6 +46,7 @@ cd "${HOME}"
 
 export TMPDIR="$(mktemp -d)"
 
+# https://docs.posit.co/ide/server-pro/admin/access_and_security/cookies.html
 mkdir -p "$TMPDIR/rstudio-server"
 python -c 'from uuid import uuid4; print(uuid4())' > "$TMPDIR/rstudio-server/secure-cookie-key"
 chmod 0600 "$TMPDIR/rstudio-server/secure-cookie-key"
@@ -59,6 +60,7 @@ singularity run -B "$TMPDIR:/tmp" "$RSTUDIO_SERVER_IMAGE" \
  --auth-none 0 \
  --auth-pam-helper-path "${RSTUDIO_AUTH}" \
  --auth-encrypt-password 0 \
- --rsession-path "${RSESSION_WRAPPER_FILE}"
+ --rsession-path "${RSESSION_WRAPPER_FILE}" \
+ --secure-cookie-key-file /tmp/secure-cookie-key
 
 echo 'Singularity as exited...'
diff --git a/view.html.erb b/view.html.erb
index cf8923f..10e4e63 100644
--- a/view.html.erb
+++ b/view.html.erb
@@ -3,7 +3,11 @@
   <input type="hidden" name="password" value="<%= password %>">
   <input type="hidden" name="staySignedIn" value="1">
   <input type="hidden" name="appUri" value="">
+  <input type="hidden" name="csrf-token" value="<%= csrf_token %>">
   <button class="btn btn-primary" type="submit">
     <i class="fa fa-registered"></i> Connect to RStudio Server
   </button>
 </form>
+<script>
+document.cookie = `csrf-token=<%= csrf_token %>; path=/rnode/<%= host %>/<%= port %>`
+</script>