From eaf1fc896fbbd87bbea1687aa665fc054ee2f5a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@miniflux.net>
Date: Sun, 9 Aug 2020 13:16:57 -0700
Subject: [PATCH] Redirect to login page if CSRF token is expired

This will force the form to be populated with a valid token.
---
 ui/middleware.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ui/middleware.go b/ui/middleware.go
index a7707ae1..0db46703 100644
--- a/ui/middleware.go
+++ b/ui/middleware.go
@@ -89,6 +89,12 @@ func (m *middleware) handleAppSession(next http.Handler) http.Handler {
 
 			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
 				logger.Error(`[UI:AppSession] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
+
+				if mux.CurrentRoute(r).GetName() == "checkLogin" {
+					html.Redirect(w, r, route.Path(m.router, "login"))
+					return
+				}
+
 				html.BadRequest(w, r, errors.New("Invalid or missing CSRF"))
 				return
 			}