rainbownapkin/canopy
1
0
Fork 0
Code Issues 2 Pull requests Actions Packages Projects Releases Wiki Activity

Added CSRF token headers to ajax calls for /api/channel routes.

Browse source
This commit is contained in:
rainbow napkin 2024-12-29 22:25:53 -05:00
parent 106b0fcddb
commit 6dd8983a48
2 changed files with 70 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/routers/api/channelRouter.js
View file

@ -66,8 +66,6 @@ router.post('/permissions', channelModel.reqPermCheck("changePerms"), checkExac
//rank //rank
router.get('/rank', channelModel.reqPermCheck("manageChannel"), rankController.get); router.get('/rank', channelModel.reqPermCheck("manageChannel"), rankController.get);
router.post('/rank', channelModel.reqPermCheck("changeRank"), accountValidator.user(), channelValidator.rank(), rankController.post); router.post('/rank', channelModel.reqPermCheck("changeRank"), accountValidator.user(), channelValidator.rank(), rankController.post);
//delete
router.post('/delete', channelModel.reqPermCheck("deleteChannel"), channelValidator.name('confirm'), deleteController.post);
//ban //ban
router.get('/ban', channelModel.reqPermCheck("manageChannel"), banController.get); router.get('/ban', channelModel.reqPermCheck("manageChannel"), banController.get);
router.post('/ban', channelModel.reqPermCheck("banUser"), accountValidator.user(), body("banAlts").isBoolean(), body("expirationDays").isInt(), banController.post); router.post('/ban', channelModel.reqPermCheck("banUser"), accountValidator.user(), body("banAlts").isBoolean(), body("expirationDays").isInt(), banController.post);
@ -80,5 +78,7 @@ router.delete('/tokeCommand', tokebotValidator.command(), channelModel.reqPermCh
router.get('/emote', channelModel.reqPermCheck("manageChannel"), emoteController.get); router.get('/emote', channelModel.reqPermCheck("manageChannel"), emoteController.get);
router.post('/emote', channelModel.reqPermCheck("editEmotes"), emoteValidator.name('emoteName'), emoteValidator.link(), emoteController.post); router.post('/emote', channelModel.reqPermCheck("editEmotes"), emoteValidator.name('emoteName'), emoteValidator.link(), emoteController.post);
router.delete('/emote', channelModel.reqPermCheck("editEmotes"), emoteValidator.name('emoteName'), emoteController.delete); router.delete('/emote', channelModel.reqPermCheck("editEmotes"), emoteValidator.name('emoteName'), emoteController.delete);
//delete
router.post('/delete', channelModel.reqPermCheck("deleteChannel"), channelValidator.name('confirm'), deleteController.post);
module.exports = router; module.exports = router;

118
www/js/utils.js
View file

@ -391,6 +391,7 @@ class canopyAjaxUtils{
} }
//Account
async register(user, pass, passConfirm, email, verification){ async register(user, pass, passConfirm, email, verification){
var response = await fetch(`/api/account/register`,{ var response = await fetch(`/api/account/register`,{
method: "POST", method: "POST",
@ -533,11 +534,13 @@ class canopyAjaxUtils{
} }
} }
//Channel
async newChannel(name, description, thumbnail, verification){ async newChannel(name, description, thumbnail, verification){
var response = await fetch(`/api/channel/register`,{ var response = await fetch(`/api/channel/register`,{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify(thumbnail ? {name, description, thumbnail, verification} : {name, description, verification}) body: JSON.stringify(thumbnail ? {name, description, thumbnail, verification} : {name, description, verification})
}); });
@ -553,7 +556,8 @@ class canopyAjaxUtils{
var response = await fetch(`/api/channel/settings`,{ var response = await fetch(`/api/channel/settings`,{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
//Unfortunately JSON doesn't natively handle ES6 maps, and god forbid someone update the standard in a way that's backwards compatible... //Unfortunately JSON doesn't natively handle ES6 maps, and god forbid someone update the standard in a way that's backwards compatible...
body: JSON.stringify({chanName, settingsMap: Object.fromEntries(settingsMap)}) body: JSON.stringify({chanName, settingsMap: Object.fromEntries(settingsMap)})
@ -570,7 +574,8 @@ class canopyAjaxUtils{
var response = await fetch(`/api/channel/permissions`,{ var response = await fetch(`/api/channel/permissions`,{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
//Unfortunately JSON doesn't natively handle ES6 maps, and god forbid someone update the standard in a way that's backwards compatible... //Unfortunately JSON doesn't natively handle ES6 maps, and god forbid someone update the standard in a way that's backwards compatible...
body: JSON.stringify({chanName, channelPermissionsMap: Object.fromEntries(permissionsMap)}) body: JSON.stringify({chanName, channelPermissionsMap: Object.fromEntries(permissionsMap)})
@ -599,7 +604,8 @@ class canopyAjaxUtils{
var response = await fetch(`/api/channel/rank`,{ var response = await fetch(`/api/channel/rank`,{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, user, rank}) body: JSON.stringify({chanName, user, rank})
}); });
@ -611,46 +617,6 @@ class canopyAjaxUtils{
} }
} }
async deleteChannel(chanName, confirm){
var response = await fetch(`/api/channel/delete`,{
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({chanName, confirm})
});
if(response.status == 200){
location = "/";
}else{
utils.ux.displayResponseError(await response.json());
}
}
async getPopup(popup){
var response = await fetch(`/popup/${popup}`,{
method: "GET"
});
if(response.status == 200){
return (await response.text())
}else{
utils.ux.displayResponseError(await response.json());
}
}
async getTooltip(tooltip){
var response = await fetch(`/tooltip/${tooltip}`,{
method: "GET"
});
if(response.status == 200){
return (await response.text())
}else{
utils.ux.displayResponseError(await response.json());
}
}
async getChanBans(chanName){ async getChanBans(chanName){
var response = await fetch(`/api/channel/ban?chanName=${chanName}`,{ var response = await fetch(`/api/channel/ban?chanName=${chanName}`,{
method: "GET", method: "GET",
@ -670,7 +636,8 @@ class canopyAjaxUtils{
var response = await fetch(`/api/channel/ban`,{ var response = await fetch(`/api/channel/ban`,{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, user, expirationDays, banAlts}) body: JSON.stringify({chanName, user, expirationDays, banAlts})
}); });
@ -686,7 +653,8 @@ class canopyAjaxUtils{
var response = await fetch(`/api/channel/ban`,{ var response = await fetch(`/api/channel/ban`,{
method: "DELETE", method: "DELETE",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, user}) body: JSON.stringify({chanName, user})
}); });
@ -717,7 +685,9 @@ class canopyAjaxUtils{
var response = await fetch('/api/channel/tokeCommand',{ var response = await fetch('/api/channel/tokeCommand',{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, command}) body: JSON.stringify({chanName, command})
}); });
@ -733,7 +703,8 @@ class canopyAjaxUtils{
var response = await fetch('/api/channel/tokeCommand',{ var response = await fetch('/api/channel/tokeCommand',{
method: "DELETE", method: "DELETE",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, command}) body: JSON.stringify({chanName, command})
}); });
@ -764,7 +735,8 @@ class canopyAjaxUtils{
var response = await fetch('/api/channel/emote',{ var response = await fetch('/api/channel/emote',{
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, emoteName, link}) body: JSON.stringify({chanName, emoteName, link})
}); });
@ -780,7 +752,8 @@ class canopyAjaxUtils{
var response = await fetch('/api/channel/emote',{ var response = await fetch('/api/channel/emote',{
method: "DELETE", method: "DELETE",
headers: { headers: {
"Content-Type": "application/json" "Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
}, },
body: JSON.stringify({chanName, emoteName}) body: JSON.stringify({chanName, emoteName})
}); });
@ -792,6 +765,51 @@ class canopyAjaxUtils{
} }
} }
async deleteChannel(chanName, confirm){
var response = await fetch(`/api/channel/delete`,{
method: "POST",
headers: {
"Content-Type": "application/json",
"x-csrf-token": utils.ajax.getCSRFToken()
},
body: JSON.stringify({chanName, confirm})
});
if(response.status == 200){
location = "/";
}else{
utils.ux.displayResponseError(await response.json());
}
}
//Popup
async getPopup(popup){
var response = await fetch(`/popup/${popup}`,{
method: "GET"
});
if(response.status == 200){
return (await response.text())
}else{
utils.ux.displayResponseError(await response.json());
}
}
//Tooltip
async getTooltip(tooltip){
var response = await fetch(`/tooltip/${tooltip}`,{
method: "GET"
});
if(response.status == 200){
return (await response.text())
}else{
utils.ux.displayResponseError(await response.json());
}
}
//Syntatic sugar //Syntatic sugar
getCSRFToken(){ getCSRFToken(){
return document.querySelector("[name='csrf-token']").content; return document.querySelector("[name='csrf-token']").content;