CSRF protection
This commit is contained in:
rxdn
parent
84fa811a4a
commit
f5985f9f7a
@ -13,7 +13,7 @@ import (
|
|||||||
func TokenHandler(ctx *gin.Context) {
|
func TokenHandler(ctx *gin.Context) {
|
||||||
session := sessions.Default(ctx)
|
session := sessions.Default(ctx)
|
||||||
userId := utils.GetUserId(session)
|
userId := utils.GetUserId(session)
|
||||||
//TODO : CSRF
|
|
||||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
|
||||||
"userid": strconv.FormatUint(userId, 10),
|
"userid": strconv.FormatUint(userId, 10),
|
||||||
})
|
})
|
||||||
|
|||||||
12
app/http/middleware/verifyheader.go
Normal file
12
app/http/middleware/verifyheader.go
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
package middleware
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/TicketsBot/GoPanel/utils"
|
||||||
|
"github.com/gin-gonic/gin"
|
||||||
|
)
|
||||||
|
|
||||||
|
func VerifyXTicketsHeader(ctx *gin.Context) {
|
||||||
|
if ctx.GetHeader("x-tickets") != "true" {
|
||||||
|
ctx.AbortWithStatusJSON(400, utils.ErrorStr("Missing x-tickets header"))
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -59,7 +59,7 @@ func StartServer() {
|
|||||||
|
|
||||||
authorized := router.Group("/", middleware.AuthenticateCookie)
|
authorized := router.Group("/", middleware.AuthenticateCookie)
|
||||||
{
|
{
|
||||||
authorized.POST("/token", api.TokenHandler)
|
authorized.POST("/token", middleware.VerifyXTicketsHeader, api.TokenHandler)
|
||||||
|
|
||||||
authenticateGuildAdmin := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Admin))
|
authenticateGuildAdmin := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Admin))
|
||||||
authenticateGuildSupport := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Support))
|
authenticateGuildSupport := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Support))
|
||||||
@ -80,7 +80,7 @@ func StartServer() {
|
|||||||
authorized.GET("/webchat", manage.WebChatWs)
|
authorized.GET("/webchat", manage.WebChatWs)
|
||||||
}
|
}
|
||||||
|
|
||||||
apiGroup := router.Group("/api", middleware.AuthenticateToken)
|
apiGroup := router.Group("/api", middleware.VerifyXTicketsHeader, middleware.AuthenticateToken)
|
||||||
guildAuthApiAdmin := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Admin))
|
guildAuthApiAdmin := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Admin))
|
||||||
guildAuthApiSupport := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Support))
|
guildAuthApiSupport := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Support))
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1,8 +1,11 @@
|
|||||||
async function getToken() {
|
async function getToken() {
|
||||||
let token = window.localStorage.getItem('token');
|
let token = window.localStorage.getItem('token');
|
||||||
if (token == null) {
|
if (token == null) {
|
||||||
let res = await axios.post('/token', {
|
let res = await axios.post('/token', undefined, {
|
||||||
withCredentials: true
|
withCredentials: true,
|
||||||
|
headers: {
|
||||||
|
'x-tickets': 'true'
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
if (res.status !== 200 || !res.data.success) {
|
if (res.status !== 200 || !res.data.success) {
|
||||||
@ -25,6 +28,7 @@ function clearLocalStorage() {
|
|||||||
async function setDefaultHeader() {
|
async function setDefaultHeader() {
|
||||||
const token = await getToken();
|
const token = await getToken();
|
||||||
axios.defaults.headers.common['Authorization'] = token;
|
axios.defaults.headers.common['Authorization'] = token;
|
||||||
|
axios.defaults.headers.common['x-tickets'] = 'true'; // abritrary header name and value
|
||||||
axios.defaults.validateStatus = false;
|
axios.defaults.validateStatus = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user