diff options
author | Brian Picciano <mediocregopher@gmail.com> | 2021-08-29 22:15:58 -0600 |
---|---|---|
committer | Brian Picciano <mediocregopher@gmail.com> | 2021-08-29 22:15:58 -0600 |
commit | 15ae483fadbd136acefcd602b2f2ac5a83165c73 (patch) | |
tree | 0f25ed1dd81e4fffeed6055dd02da48a567c8fb2 /static | |
parent | 5746a510fc569fd464e46b646d4979a976ad769b (diff) |
add CSRF checking
Diffstat (limited to 'static')
-rw-r--r-- | static/src/assets/api.js | 12 | ||||
-rw-r--r-- | static/src/assets/utils.js | 12 |
2 files changed, 22 insertions, 2 deletions
diff --git a/static/src/assets/api.js b/static/src/assets/api.js index bec2740..b591764 100644 --- a/static/src/assets/api.js +++ b/static/src/assets/api.js @@ -1,3 +1,4 @@ +import * as utils from "/assets/utils.js"; const doFetch = async (req) => { let res, jsonRes; @@ -48,7 +49,15 @@ const solvePow = async () => { const call = async (method, route, opts = {}) => { const { body = {}, requiresPow = false } = opts; - const reqOpts = { method }; + if (!utils.cookies["csrf_token"]) + throw "csrf_token cookie not set, can't make api call"; + + const reqOpts = { + method, + headers: { + "X-CSRF-Token": utils.cookies["csrf_token"], + }, + }; if (requiresPow) { const {seed, solution} = await solvePow(); @@ -57,7 +66,6 @@ const call = async (method, route, opts = {}) => { } if (Object.keys(body).length > 0) { - const form = new FormData(); for (const key in body) form.append(key, body[key]); diff --git a/static/src/assets/utils.js b/static/src/assets/utils.js new file mode 100644 index 0000000..96a2950 --- /dev/null +++ b/static/src/assets/utils.js @@ -0,0 +1,12 @@ +const cookies = {}; +const cookieKVs = document.cookie + .split(';') + .map(cookie => cookie.trim().split('=', 2)); + +for (const i in cookieKVs) { + cookies[cookieKVs[i][0]] = cookieKVs[i][1]; +} + +export { + cookies, +} |