From 317b8a5610953b30cfb84382bd13764177ce830b Mon Sep 17 00:00:00 2001
From: Benjamin Auder <benjamin.auder@somewhere>
Date: Sat, 30 Nov 2019 01:22:16 +0100
Subject: [PATCH] Fix /whoami: remove fetch() for now

---
 client/src/store.js      | 15 +++++++++++----
 client/src/utils/ajax.js |  1 +
 server/utils/access.js   |  2 +-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/client/src/store.js b/client/src/store.js
index f95e488f..12c756cf 100644
--- a/client/src/store.js
+++ b/client/src/store.js
@@ -31,13 +31,20 @@ export const store =
     };
     if (this.state.user.id > 0)
     {
-      fetch(params.serverUrl + "/whoami", {
-        method: "GET",
-        credentials: params.cors ? "include" : "omit",
-      }).then((res) => {
+      ajax("/whoami", "GET", res => {
         this.state.user.email = res.email;
         this.state.user.notify = res.notify;
       });
+      // TODO: fetch is simpler, but does not set req.xhr (for security check)
+//      fetch(params.serverUrl + "/whoami", {
+//        method: "GET",
+//        credentials: params.cors ? "include" : "omit",
+//      }).then((res) => {
+//        return res.json()
+//      }).then((user) => {
+//        this.state.user.email = user.email;
+//        this.state.user.notify = user.notify;
+//      });
     }
     this.state.conn = new WebSocket(params.socketUrl + "/?sid=" + mysid);
     // Settings initialized with values from localStorage
diff --git a/client/src/utils/ajax.js b/client/src/utils/ajax.js
index 83b045c0..eb30330a 100644
--- a/client/src/utils/ajax.js
+++ b/client/src/utils/ajax.js
@@ -2,6 +2,7 @@ import params from "../parameters"; //for server URL
 
 // TODO: replace by fetch API ?
 // https://www.sitepoint.com/xmlhttprequest-vs-the-fetch-api-whats-best-for-ajax-in-2019/
+// Problem: fetch() does not set req.xhr... see access/ajax() security especially for /whoami
 
 // From JSON (encoded string values!) to "arg1=...&arg2=..."
 function toQueryString(data)
diff --git a/server/utils/access.js b/server/utils/access.js
index a7eb92ac..11753a0a 100644
--- a/server/utils/access.js
+++ b/server/utils/access.js
@@ -48,7 +48,7 @@ module.exports =
 
 	// Prevent direct access to AJAX results
 	ajax: function(req, res, next) {
-		if (!req.xhr)
+    if (!req.xhr)
 			return res.json({errmsg: "Unauthorized access"});
 		next();
 	},
-- 
2.44.0