From: Benjamin Auder Date: Sat, 30 Nov 2019 00:22:16 +0000 (+0100) Subject: Fix /whoami: remove fetch() for now X-Git-Url: https://git.auder.net/doc/html/%7B%7B%20targetUrl%20%7D%7D?a=commitdiff_plain;h=317b8a5610953b30cfb84382bd13764177ce830b;p=vchess.git Fix /whoami: remove fetch() for now --- diff --git a/client/src/store.js b/client/src/store.js index f95e488f..12c756cf 100644 --- a/client/src/store.js +++ b/client/src/store.js @@ -31,13 +31,20 @@ export const store = }; if (this.state.user.id > 0) { - fetch(params.serverUrl + "/whoami", { - method: "GET", - credentials: params.cors ? "include" : "omit", - }).then((res) => { + ajax("/whoami", "GET", res => { this.state.user.email = res.email; this.state.user.notify = res.notify; }); + // TODO: fetch is simpler, but does not set req.xhr (for security check) +// fetch(params.serverUrl + "/whoami", { +// method: "GET", +// credentials: params.cors ? "include" : "omit", +// }).then((res) => { +// return res.json() +// }).then((user) => { +// this.state.user.email = user.email; +// this.state.user.notify = user.notify; +// }); } this.state.conn = new WebSocket(params.socketUrl + "/?sid=" + mysid); // Settings initialized with values from localStorage diff --git a/client/src/utils/ajax.js b/client/src/utils/ajax.js index 83b045c0..eb30330a 100644 --- a/client/src/utils/ajax.js +++ b/client/src/utils/ajax.js @@ -2,6 +2,7 @@ import params from "../parameters"; //for server URL // TODO: replace by fetch API ? // https://www.sitepoint.com/xmlhttprequest-vs-the-fetch-api-whats-best-for-ajax-in-2019/ +// Problem: fetch() does not set req.xhr... see access/ajax() security especially for /whoami // From JSON (encoded string values!) to "arg1=...&arg2=..." function toQueryString(data) diff --git a/server/utils/access.js b/server/utils/access.js index a7eb92ac..11753a0a 100644 --- a/server/utils/access.js +++ b/server/utils/access.js @@ -48,7 +48,7 @@ module.exports = // Prevent direct access to AJAX results ajax: function(req, res, next) { - if (!req.xhr) + if (!req.xhr) return res.json({errmsg: "Unauthorized access"}); next(); },