mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-14 22:06:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add anti-csrf token for /revoke-session

Browse Source
This commit is contained in:
KernelDeimos 2024-08-18 01:06:47 -04:00
parent 9fa12d43fc
commit b6b64d3bcc
4 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/backend/src/routers/auth/revoke-session.js
View File

@ -36,6 +36,11 @@ module.exports = eggspress('/auth/revoke-session', {
throw APIError.create('forbidden'); throw APIError.create('forbidden');
} }
const svc_antiCSRF = req.services.get('anti-csrf');
if ( ! svc_antiCSRF.consume_token(actor.type.user.uuid, req.body.anti_csrf) ) {
return res.status(400).json({ message: 'incorrect anti-CSRF token' });
}
// Ensure valid UUID // Ensure valid UUID
if ( ! req.body.uuid || typeof req.body.uuid !== 'string' ) { if ( ! req.body.uuid || typeof req.body.uuid !== 'string' ) {
throw APIError.create('field_invalid', null, { throw APIError.create('field_invalid', null, {

4
src/gui/src/UI/UIWindowManageSessions.js
View File

@ -106,6 +106,9 @@ const UIWindowManageSessions = async function UIWindowManageSessions (options) {
return; return;
} }
const anti_csrf = await services.get('anti-csrf').token();
const resp = await fetch(`${window.api_origin}/auth/revoke-session`, { const resp = await fetch(`${window.api_origin}/auth/revoke-session`, {
method: 'POST', method: 'POST',
headers: { headers: {
@ -114,6 +117,7 @@ const UIWindowManageSessions = async function UIWindowManageSessions (options) {
}, },
body: JSON.stringify({ body: JSON.stringify({
uuid: session.uuid, uuid: session.uuid,
anti_csrf,
}), }),
}); });
if ( resp.ok ) { if ( resp.ok ) {

2
src/gui/src/initgui.js
View File

@ -45,6 +45,7 @@ import UIComponentWindow from './UI/UIComponentWindow.js';
import update_mouse_position from './helpers/update_mouse_position.js'; import update_mouse_position from './helpers/update_mouse_position.js';
import { LaunchOnInitService } from './services/LaunchOnInitService.js'; import { LaunchOnInitService } from './services/LaunchOnInitService.js';
import item_icon from './helpers/item_icon.js'; import item_icon from './helpers/item_icon.js';
import { AntiCSRFService } from './services/AntiCSRFService.js';
const launch_services = async function (options) { const launch_services = async function (options) {
// === Services Data Structures === // === Services Data Structures ===
@ -79,6 +80,7 @@ const launch_services = async function (options) {
register('process', new ProcessService()); register('process', new ProcessService());
register('locale', new LocaleService()); register('locale', new LocaleService());
register('settings', new SettingsService()); register('settings', new SettingsService());
register('anti-csrf', new AntiCSRFService());
register('__launch-on-init', new LaunchOnInitService()); register('__launch-on-init', new LaunchOnInitService());
// === Service-Script Services === // === Service-Script Services ===

23
src/gui/src/services/AntiCSRFService.js Normal file
View File

@ -0,0 +1,23 @@
import { Service } from "../definitions.js";
export class AntiCSRFService extends Service {
/**
* Request an anti-csrf token from the server
* @return anti_csrf: string
*/
async token () {
const anti_csrf = await (async () => {
const resp = await fetch(
`${window.gui_origin}/get-anticsrf-token`,{
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer ' + window.auth_token,
}
},)
const { token } = await resp.json();
return token;
})();
return anti_csrf;
}
}