CSRF protection

2021-01-15 22:29:26 +00:00 · 2021-01-15 22:29:26 +00:00 · f5985f9f7a
commit f5985f9f7a
parent 84fa811a4a
4 changed files with 21 additions and 5 deletions
--- a/app/http/endpoints/api/token.go
+++ b/app/http/endpoints/api/token.go
@ -13,7 +13,7 @@ import (
 func TokenHandler(ctx *gin.Context) {
 	session := sessions.Default(ctx)
 	userId := utils.GetUserId(session)
- //TODO : CSRF
+
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"userid": strconv.FormatUint(userId, 10),
 	})
--- a/app/http/middleware/verifyheader.go
+++ b/app/http/middleware/verifyheader.go
@ -0,0 +1,12 @@
+package middleware
+
+import (
+	"github.com/TicketsBot/GoPanel/utils"
+	"github.com/gin-gonic/gin"
+)
+
+func VerifyXTicketsHeader(ctx *gin.Context) {
+	if ctx.GetHeader("x-tickets") != "true" {
+		ctx.AbortWithStatusJSON(400, utils.ErrorStr("Missing x-tickets header"))
+	}
+}
--- a/app/http/server.go
+++ b/app/http/server.go
@ -59,7 +59,7 @@ func StartServer() {

 	authorized := router.Group("/", middleware.AuthenticateCookie)
 	{
-		authorized.POST("/token", api.TokenHandler)
+		authorized.POST("/token", middleware.VerifyXTicketsHeader, api.TokenHandler)

 		authenticateGuildAdmin := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Admin))
 		authenticateGuildSupport := authorized.Group("/", middleware.AuthenticateGuild(false, permission.Support))
@ -80,7 +80,7 @@ func StartServer() {
 		authorized.GET("/webchat", manage.WebChatWs)
 	}

-	apiGroup := router.Group("/api", middleware.AuthenticateToken)
+	apiGroup := router.Group("/api", middleware.VerifyXTicketsHeader, middleware.AuthenticateToken)
 	guildAuthApiAdmin := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Admin))
 	guildAuthApiSupport := apiGroup.Group("/:id", middleware.AuthenticateGuild(true, permission.Support))
 	{
--- a/public/static/js/auth.js
+++ b/public/static/js/auth.js
@ -1,8 +1,11 @@
 async function getToken() {
    let token = window.localStorage.getItem('token');
    if (token == null) {
-        let res = await axios.post('/token', {
-            withCredentials: true
+        let res = await axios.post('/token', undefined, {
+            withCredentials: true,
+            headers: {
+                'x-tickets': 'true'
+            }
        });

        if (res.status !== 200 || !res.data.success) {
@ -25,6 +28,7 @@ function clearLocalStorage() {
 async function setDefaultHeader() {
    const token = await getToken();
    axios.defaults.headers.common['Authorization'] = token;
+    axios.defaults.headers.common['x-tickets'] = 'true'; // abritrary header name and value
    axios.defaults.validateStatus = false;
 }