From 15ae483fadbd136acefcd602b2f2ac5a83165c73 Mon Sep 17 00:00:00 2001
From: Brian Picciano <mediocregopher@gmail.com>
Date: Sun, 29 Aug 2021 22:15:58 -0600
Subject: add CSRF checking

---
 static/src/assets/api.js   | 12 ++++++++++--
 static/src/assets/utils.js | 12 ++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 static/src/assets/utils.js

(limited to 'static')

diff --git a/static/src/assets/api.js b/static/src/assets/api.js
index bec2740..b591764 100644
--- a/static/src/assets/api.js
+++ b/static/src/assets/api.js
@@ -1,3 +1,4 @@
+import * as utils from "/assets/utils.js";
 
 const doFetch = async (req) => {
   let res, jsonRes;
@@ -48,7 +49,15 @@ const solvePow = async () => {
 const call = async (method, route, opts = {}) => {
   const { body = {}, requiresPow = false } = opts;
 
-  const reqOpts = { method };
+  if (!utils.cookies["csrf_token"]) 
+    throw "csrf_token cookie not set, can't make api call";
+
+  const reqOpts = {
+    method,
+    headers: {
+      "X-CSRF-Token": utils.cookies["csrf_token"],
+    },
+  };
 
   if (requiresPow) {
     const {seed, solution} = await solvePow();
@@ -57,7 +66,6 @@ const call = async (method, route, opts = {}) => {
   }
 
   if (Object.keys(body).length > 0) {
-
     const form = new FormData();
     for (const key in body) form.append(key, body[key]);
 
diff --git a/static/src/assets/utils.js b/static/src/assets/utils.js
new file mode 100644
index 0000000..96a2950
--- /dev/null
+++ b/static/src/assets/utils.js
@@ -0,0 +1,12 @@
+const cookies = {};
+const cookieKVs = document.cookie
+  .split(';')
+  .map(cookie => cookie.trim().split('=', 2));
+
+for (const i in cookieKVs) {
+  cookies[cookieKVs[i][0]] = cookieKVs[i][1];
+}
+
+export {
+  cookies,
+}
-- 
cgit v1.2.3