From 317b8a5610953b30cfb84382bd13764177ce830b Mon Sep 17 00:00:00 2001 From: Benjamin Auder Date: Sat, 30 Nov 2019 01:22:16 +0100 Subject: [PATCH] Fix /whoami: remove fetch() for now --- client/src/store.js | 15 +++++++++++---- client/src/utils/ajax.js | 1 + server/utils/access.js | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/client/src/store.js b/client/src/store.js index f95e488f..12c756cf 100644 --- a/client/src/store.js +++ b/client/src/store.js @@ -31,13 +31,20 @@ export const store = }; if (this.state.user.id > 0) { - fetch(params.serverUrl + "/whoami", { - method: "GET", - credentials: params.cors ? "include" : "omit", - }).then((res) => { + ajax("/whoami", "GET", res => { this.state.user.email = res.email; this.state.user.notify = res.notify; }); + // TODO: fetch is simpler, but does not set req.xhr (for security check) +// fetch(params.serverUrl + "/whoami", { +// method: "GET", +// credentials: params.cors ? "include" : "omit", +// }).then((res) => { +// return res.json() +// }).then((user) => { +// this.state.user.email = user.email; +// this.state.user.notify = user.notify; +// }); } this.state.conn = new WebSocket(params.socketUrl + "/?sid=" + mysid); // Settings initialized with values from localStorage diff --git a/client/src/utils/ajax.js b/client/src/utils/ajax.js index 83b045c0..eb30330a 100644 --- a/client/src/utils/ajax.js +++ b/client/src/utils/ajax.js @@ -2,6 +2,7 @@ import params from "../parameters"; //for server URL // TODO: replace by fetch API ? // https://www.sitepoint.com/xmlhttprequest-vs-the-fetch-api-whats-best-for-ajax-in-2019/ +// Problem: fetch() does not set req.xhr... see access/ajax() security especially for /whoami // From JSON (encoded string values!) to "arg1=...&arg2=..." function toQueryString(data) diff --git a/server/utils/access.js b/server/utils/access.js index a7eb92ac..11753a0a 100644 --- a/server/utils/access.js +++ b/server/utils/access.js @@ -48,7 +48,7 @@ module.exports = // Prevent direct access to AJAX results ajax: function(req, res, next) { - if (!req.xhr) + if (!req.xhr) return res.json({errmsg: "Unauthorized access"}); next(); }, -- 2.44.0