Improve web api protect (#6343)

master
abcang 7 years ago committed by Eugen Rochko
parent 204d72fbe4
commit 897199910f
  1. 9
      app/controllers/api/web/base_controller.rb
  2. 2
      app/controllers/api/web/embeds_controller.rb
  3. 3
      app/controllers/api/web/push_subscriptions_controller.rb
  4. 2
      app/controllers/api/web/settings_controller.rb
  5. 10
      app/javascript/mastodon/actions/push_notifications/registerer.js
  6. 2
      app/javascript/mastodon/actions/settings.js

@ -0,0 +1,9 @@
# frozen_string_literal: true
class Api::Web::BaseController < Api::BaseController
protect_from_forgery with: :exception
rescue_from ActionController::InvalidAuthenticityToken do
render json: { error: "Can't verify CSRF token authenticity." }, status: 422
end
end

@ -1,6 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::Web::EmbedsController < Api::BaseController class Api::Web::EmbedsController < Api::Web::BaseController
respond_to :json respond_to :json
before_action :require_user! before_action :require_user!

@ -1,10 +1,9 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::Web::PushSubscriptionsController < Api::BaseController class Api::Web::PushSubscriptionsController < Api::Web::BaseController
respond_to :json respond_to :json
before_action :require_user! before_action :require_user!
protect_from_forgery with: :exception
def create def create
active_session = current_session active_session = current_session

@ -1,6 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::Web::SettingsController < Api::BaseController class Api::Web::SettingsController < Api::Web::BaseController
respond_to :json respond_to :json
before_action :require_user! before_action :require_user!

@ -36,7 +36,7 @@ const subscribe = (registration) =>
const unsubscribe = ({ registration, subscription }) => const unsubscribe = ({ registration, subscription }) =>
subscription ? subscription.unsubscribe().then(() => registration) : registration; subscription ? subscription.unsubscribe().then(() => registration) : registration;
const sendSubscriptionToBackend = (getState, subscription) => { const sendSubscriptionToBackend = (subscription) => {
const params = { subscription }; const params = { subscription };
if (me) { if (me) {
@ -46,7 +46,7 @@ const sendSubscriptionToBackend = (getState, subscription) => {
} }
} }
return api(getState).post('/api/web/push_subscriptions', params).then(response => response.data); return api().post('/api/web/push_subscriptions', params).then(response => response.data);
}; };
// Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload // Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload
@ -85,13 +85,13 @@ export function register () {
} else { } else {
// Something went wrong, try to subscribe again // Something went wrong, try to subscribe again
return unsubscribe({ registration, subscription }).then(subscribe).then( return unsubscribe({ registration, subscription }).then(subscribe).then(
subscription => sendSubscriptionToBackend(getState, subscription)); subscription => sendSubscriptionToBackend(subscription));
} }
} }
// No subscription, try to subscribe // No subscription, try to subscribe
return subscribe(registration).then( return subscribe(registration).then(
subscription => sendSubscriptionToBackend(getState, subscription)); subscription => sendSubscriptionToBackend(subscription));
}) })
.then(subscription => { .then(subscription => {
// If we got a PushSubscription (and not a subscription object from the backend) // If we got a PushSubscription (and not a subscription object from the backend)
@ -134,7 +134,7 @@ export function saveSettings() {
const alerts = state.get('alerts'); const alerts = state.get('alerts');
const data = { alerts }; const data = { alerts };
api(getState).put(`/api/web/push_subscriptions/${subscription.get('id')}`, { api().put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
data, data,
}).then(() => { }).then(() => {
if (me) { if (me) {

@ -24,7 +24,7 @@ const debouncedSave = debounce((dispatch, getState) => {
const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS(); const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS();
api(getState).put('/api/web/settings', { data }) api().put('/api/web/settings', { data })
.then(() => dispatch({ type: SETTING_SAVE })) .then(() => dispatch({ type: SETTING_SAVE }))
.catch(error => dispatch(showAlertForError(error))); .catch(error => dispatch(showAlertForError(error)));
}, 5000, { trailing: true }); }, 5000, { trailing: true });

Loading…
Cancel
Save