rainbownapkin/canopy
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions

Added CSRF protection to all API calls. /api/account AJAX calls updated.

Browse source
This commit is contained in:
rainbow napkin 2024-12-29 21:40:50 -05:00
parent 7e0c8e72c5
commit 106b0fcddb
11 changed files with 149 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

23
www/css/error.css Normal file
View file

@ -0,0 +1,23 @@
/*Canopy - The next generation of stoner streaming software
Copyright (C) 2024-2025 Rainbownapkin and the TTN Community
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.*/
h1, h3{
text-align: center;
}
img{
width: 50%;
margin: 0 auto;
}

29
www/js/utils.js
View file

@ -395,7 +395,9 @@ class canopyAjaxUtils{
var response = await fetch(`/api/account/register`,{
method: "POST",
headers: {
"Content-Type": "application/json"
"Content-Type": "application/json",
//It's either this or find and bind all event listeners :P
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify(email ? {user, pass, passConfirm, email, verification} : {user, pass, passConfirm, verification})
});
@ -411,7 +413,8 @@ class canopyAjaxUtils{
var response = await fetch(`/api/account/login`,{
method: "POST",
headers: {
"Content-Type": "application/json"
"Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify(verification ? {user, pass, verification} : {user, pass})
});
@ -427,7 +430,10 @@ class canopyAjaxUtils{
async logout(){
var response = await fetch(`/api/account/logout`,{
method: "GET",
method: "POST",
headers: {
"x-csrf-token": utils.ajax.getCSRFToken()
}
});
if(response.status == 200){
@ -441,7 +447,8 @@ class canopyAjaxUtils{
const response = await fetch(`/api/account/update`,{
method: "POST",
headers: {
"Content-Type": "application/json"
"Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify(update)
});
@ -469,7 +476,8 @@ class canopyAjaxUtils{
const response = await fetch(`/api/account/delete`,{
method: "POST",
headers: {
"Content-Type": "application/json"
"Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify({pass})
});
@ -485,7 +493,8 @@ class canopyAjaxUtils{
const response = await fetch(`/api/account/passwordResetRequest`,{
method: "POST",
headers: {
"Content-Type": "application/json"
"Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify({user, verification})
});
@ -506,7 +515,8 @@ class canopyAjaxUtils{
const response = await fetch(`/api/account/passwordReset`,{
method: "POST",
headers: {
"Content-Type": "application/json"
"Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify({token, pass, confirmPass, verification})
});
@ -782,6 +792,11 @@ class canopyAjaxUtils{
}
}
//Syntatic sugar
getCSRFToken(){
return document.querySelector("[name='csrf-token']").content;
}
}
const utils = new canopyUtils()