fix some bugs

submit.yml.erb

@@ -1,3 +1,8 @@
 ---
 batch_connect:
   template: "basic"
+  conn_params:
+    - host
+    - port
+    - password
+    - csrf_token

template/before.sh.erb

@@ -7,3 +7,6 @@ port=$(find_port ${host})
 # Define a password and export it for RStudio authentication
 password="$(create_passwd 16)"
 export RSTUDIO_PASSWORD="${password}"
+
+# Define a CSRF (cross site request forgery) token to be added to HTML form and cookie
+csrf_token="$(create_passwd 32)"

template/bin/auth

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-# Confirm username is supplied
-if [[ $# -ne 1 ]]; then
+# Confirm username is supplied. All other args are ignored
+if [[ $# -le 1 ]]; then
   echo "Usage: auth USERNAME"
   exit 1
 fi

template/script.sh.erb

@@ -46,6 +46,7 @@ cd "${HOME}"
 
 export TMPDIR="$(mktemp -d)"
 
+# https://docs.posit.co/ide/server-pro/admin/access_and_security/cookies.html
 mkdir -p "$TMPDIR/rstudio-server"
 python -c 'from uuid import uuid4; print(uuid4())' > "$TMPDIR/rstudio-server/secure-cookie-key"
 chmod 0600 "$TMPDIR/rstudio-server/secure-cookie-key"
@@ -59,6 +60,7 @@ singularity run -B "$TMPDIR:/tmp" "$RSTUDIO_SERVER_IMAGE" \
  --auth-none 0 \
  --auth-pam-helper-path "${RSTUDIO_AUTH}" \
  --auth-encrypt-password 0 \
- --rsession-path "${RSESSION_WRAPPER_FILE}"
+ --rsession-path "${RSESSION_WRAPPER_FILE}" \
+ --secure-cookie-key-file /tmp/secure-cookie-key
 
 echo 'Singularity as exited...'

view.html.erb

@@ -3,7 +3,11 @@
   <input type="hidden" name="password" value="<%= password %>">
   <input type="hidden" name="staySignedIn" value="1">
   <input type="hidden" name="appUri" value="">
+  <input type="hidden" name="csrf-token" value="<%= csrf_token %>">
   <button class="btn btn-primary" type="submit">
     <i class="fa fa-registered"></i> Connect to RStudio Server
   </button>
 </form>
+<script>
+document.cookie = `csrf-token=<%= csrf_token %>; path=/rnode/<%= host %>/<%= port %>`
+</script>