james/yarr
4
0
Fork 0
mirror of https://github.com/nkanaev/yarr.git synced 2025-05-24 00:33:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

simple csrf protection

Browse Source
This commit is contained in:
Nazar Kanaev 2021-01-04 14:15:28 +00:00
parent fa0237b546
commit d6c2ba5812
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
assets/javascripts/api.js
View File

@ -2,9 +2,12 @@
(function() {
var api = function(method, endpoint, data) {
var headers = {'Content-Type': 'application/json'}
if (['get', 'post', 'put'].indexOf(method) !== -1)
headers['x-requested-by'] = 'yarr'
return fetch(endpoint, {
method: method,
headers: {'Content-Type': 'application/json'},
headers: headers,
body: JSON.stringify(data),
})
}

8
server/server.go
View File

@ -43,6 +43,10 @@ func (h *Handler) Start() {
}
}
func unsafeMethod(method string) bool {
return method == "POST" || method == "PUT" || method == "DELETE"
}
func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
route, vars := getRoute(req)
if route == nil {
@ -51,6 +55,10 @@ func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
}
if h.requiresAuth() && !route.manualAuth {
if unsafeMethod(req.Method) && req.Header.Get("X-Requested-By") != "yarr" {
rw.WriteHeader(http.StatusUnauthorized)
return
}
if !userIsAuthenticated(req, h.Username, h.Password) {
rw.WriteHeader(http.StatusUnauthorized)
return