};
if (this.state.user.id > 0)
{
- fetch(params.serverUrl + "/whoami", {
- method: "GET",
- credentials: params.cors ? "include" : "omit",
- }).then((res) => {
+ ajax("/whoami", "GET", res => {
this.state.user.email = res.email;
this.state.user.notify = res.notify;
});
+ // TODO: fetch is simpler, but does not set req.xhr (for security check)
+// fetch(params.serverUrl + "/whoami", {
+// method: "GET",
+// credentials: params.cors ? "include" : "omit",
+// }).then((res) => {
+// return res.json()
+// }).then((user) => {
+// this.state.user.email = user.email;
+// this.state.user.notify = user.notify;
+// });
}
this.state.conn = new WebSocket(params.socketUrl + "/?sid=" + mysid);
// Settings initialized with values from localStorage
// TODO: replace by fetch API ?
// https://www.sitepoint.com/xmlhttprequest-vs-the-fetch-api-whats-best-for-ajax-in-2019/
+// Problem: fetch() does not set req.xhr... see access/ajax() security especially for /whoami
// From JSON (encoded string values!) to "arg1=...&arg2=..."
function toQueryString(data)
// Prevent direct access to AJAX results
ajax: function(req, res, next) {
- if (!req.xhr)
+ if (!req.xhr)
return res.json({errmsg: "Unauthorized access"});
next();
},
projects / vchess.git / commitdiff
