Added CSRF protection to all API calls. /api/account AJAX calls updated.

2024-12-29 21:40:50 -05:00 · 2024-12-29 21:40:50 -05:00 · 106b0fcddb
commit 106b0fcddb
parent 7e0c8e72c5
11 changed files with 149 additions and 14 deletions
--- a/www/js/utils.js
+++ b/www/js/utils.js
@ -395,7 +395,9 @@ class canopyAjaxUtils{
        var response = await fetch(`/api/account/register`,{
            method: "POST",
            headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                //It's either this or find and bind all event listeners :P
+                "x-csrf-token": utils.ajax.getCSRFToken()
            },
            body: JSON.stringify(email ? {user, pass, passConfirm, email, verification} : {user, pass, passConfirm, verification})
        });
@ -411,7 +413,8 @@ class canopyAjaxUtils{
        var response = await fetch(`/api/account/login`,{
            method: "POST",
            headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                "x-csrf-token": utils.ajax.getCSRFToken()
            },
            body: JSON.stringify(verification ? {user, pass, verification} : {user, pass})
        });
@ -427,7 +430,10 @@ class canopyAjaxUtils{

    async logout(){
        var response = await fetch(`/api/account/logout`,{
-            method: "GET",
+            method: "POST",
+            headers: {
+                "x-csrf-token": utils.ajax.getCSRFToken()
+            }
        });

        if(response.status == 200){
@ -441,7 +447,8 @@ class canopyAjaxUtils{
        const response = await fetch(`/api/account/update`,{
            method: "POST",
            headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                "x-csrf-token": utils.ajax.getCSRFToken()
            },
            body: JSON.stringify(update)
        });
@ -469,7 +476,8 @@ class canopyAjaxUtils{
        const response = await fetch(`/api/account/delete`,{
            method: "POST",
            headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                "x-csrf-token": utils.ajax.getCSRFToken()
            },
            body: JSON.stringify({pass})
        });
@ -485,7 +493,8 @@ class canopyAjaxUtils{
        const response = await fetch(`/api/account/passwordResetRequest`,{
            method: "POST",
            headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                "x-csrf-token": utils.ajax.getCSRFToken()
            },
            body: JSON.stringify({user, verification})
        });
@ -506,7 +515,8 @@ class canopyAjaxUtils{
        const response = await fetch(`/api/account/passwordReset`,{
            method: "POST",
            headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                "x-csrf-token": utils.ajax.getCSRFToken()
            },
            body: JSON.stringify({token, pass, confirmPass, verification})
        });
@ -782,6 +792,11 @@ class canopyAjaxUtils{
        }
    }

+    //Syntatic sugar
+    getCSRFToken(){
+        return document.querySelector("[name='csrf-token']").content;
+    }
+
 }

 const utils = new canopyUtils()