From 5384e1e913c3e6f5eea2cfd4b55aa0ea3b3ac810 Mon Sep 17 00:00:00 2001 From: abcang Date: Tue, 17 Apr 2018 22:23:46 +0900 Subject: [PATCH] Improve web api protect (#6343) --- app/controllers/api/web/base_controller.rb | 9 +++++++++ app/controllers/api/web/embeds_controller.rb | 2 +- .../api/web/push_subscriptions_controller.rb | 3 +-- app/controllers/api/web/settings_controller.rb | 2 +- .../mastodon/actions/push_notifications/registerer.js | 10 +++++----- app/javascript/mastodon/actions/settings.js | 2 +- 6 files changed, 18 insertions(+), 10 deletions(-) create mode 100644 app/controllers/api/web/base_controller.rb diff --git a/app/controllers/api/web/base_controller.rb b/app/controllers/api/web/base_controller.rb new file mode 100644 index 0000000000..8da549b3a3 --- /dev/null +++ b/app/controllers/api/web/base_controller.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class Api::Web::BaseController < Api::BaseController + protect_from_forgery with: :exception + + rescue_from ActionController::InvalidAuthenticityToken do + render json: { error: "Can't verify CSRF token authenticity." }, status: 422 + end +end diff --git a/app/controllers/api/web/embeds_controller.rb b/app/controllers/api/web/embeds_controller.rb index 2ed5161612..f2fe74b179 100644 --- a/app/controllers/api/web/embeds_controller.rb +++ b/app/controllers/api/web/embeds_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Web::EmbedsController < Api::BaseController +class Api::Web::EmbedsController < Api::Web::BaseController respond_to :json before_action :require_user! diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb index c611031abd..249e7c1860 100644 --- a/app/controllers/api/web/push_subscriptions_controller.rb +++ b/app/controllers/api/web/push_subscriptions_controller.rb @@ -1,10 +1,9 @@ # frozen_string_literal: true -class Api::Web::PushSubscriptionsController < Api::BaseController +class Api::Web::PushSubscriptionsController < Api::Web::BaseController respond_to :json before_action :require_user! - protect_from_forgery with: :exception def create active_session = current_session diff --git a/app/controllers/api/web/settings_controller.rb b/app/controllers/api/web/settings_controller.rb index f6739d5062..e3178bf48b 100644 --- a/app/controllers/api/web/settings_controller.rb +++ b/app/controllers/api/web/settings_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Web::SettingsController < Api::BaseController +class Api::Web::SettingsController < Api::Web::BaseController respond_to :json before_action :require_user! diff --git a/app/javascript/mastodon/actions/push_notifications/registerer.js b/app/javascript/mastodon/actions/push_notifications/registerer.js index f17d929a6e..60b215f028 100644 --- a/app/javascript/mastodon/actions/push_notifications/registerer.js +++ b/app/javascript/mastodon/actions/push_notifications/registerer.js @@ -36,7 +36,7 @@ const subscribe = (registration) => const unsubscribe = ({ registration, subscription }) => subscription ? subscription.unsubscribe().then(() => registration) : registration; -const sendSubscriptionToBackend = (getState, subscription) => { +const sendSubscriptionToBackend = (subscription) => { const params = { subscription }; if (me) { @@ -46,7 +46,7 @@ const sendSubscriptionToBackend = (getState, subscription) => { } } - return api(getState).post('/api/web/push_subscriptions', params).then(response => response.data); + return api().post('/api/web/push_subscriptions', params).then(response => response.data); }; // Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload @@ -85,13 +85,13 @@ export function register () { } else { // Something went wrong, try to subscribe again return unsubscribe({ registration, subscription }).then(subscribe).then( - subscription => sendSubscriptionToBackend(getState, subscription)); + subscription => sendSubscriptionToBackend(subscription)); } } // No subscription, try to subscribe return subscribe(registration).then( - subscription => sendSubscriptionToBackend(getState, subscription)); + subscription => sendSubscriptionToBackend(subscription)); }) .then(subscription => { // If we got a PushSubscription (and not a subscription object from the backend) @@ -134,7 +134,7 @@ export function saveSettings() { const alerts = state.get('alerts'); const data = { alerts }; - api(getState).put(`/api/web/push_subscriptions/${subscription.get('id')}`, { + api().put(`/api/web/push_subscriptions/${subscription.get('id')}`, { data, }).then(() => { if (me) { diff --git a/app/javascript/mastodon/actions/settings.js b/app/javascript/mastodon/actions/settings.js index 5634a11efb..6bf85e4648 100644 --- a/app/javascript/mastodon/actions/settings.js +++ b/app/javascript/mastodon/actions/settings.js @@ -24,7 +24,7 @@ const debouncedSave = debounce((dispatch, getState) => { const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS(); - api(getState).put('/api/web/settings', { data }) + api().put('/api/web/settings', { data }) .then(() => dispatch({ type: SETTING_SAVE })) .catch(error => dispatch(showAlertForError(error))); }, 5000, { trailing: true });