Mirrors/tinypin
1
0
Fork 0
mirror of https://github.com/slynn1324/tinypin.git synced 2026-01-22 18:16:28 +00:00
Code Issues Projects Releases Wiki Activity

let calls with x-api-key bypass csrf checking

Browse source
This commit is contained in:
slynn1324 2021-10-04 19:57:46 -05:00
parent 0d1037a1f0
commit 0bccaef904
1 changed files with 40 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

76
server/server.js
View file

@ -108,45 +108,18 @@ module.exports = async () => {
app.set('json spaces', 2);
app.use(cookieParser());
// api method that are not subject to CSRF checks
// handle raw uploads for pin creation
app.post("/up", async (req, res) => {
try {
require("fs").writeFileSync("up.jpg", req.body);
// try to parse the image first... if this blows up we'll stop early
let image = await imageUtils.processImage(req.body);
let boardName = req.headers['board-name'].trim();
// get the board
let board = dao.findBoardByUserAndName(req.user.id, boardName);
if ( !board ){
board = dao.createBoard(req.user.id, boardName, 0);
}
let pin = dao.createPin(req.user.id, board.id, null, null, null, null, image.original.height, image.original.width, image.thumbnail.height, image.thumbnail.height);
await imageUtils.saveImage(req.user.id, pin.id, image);
broadcast(req.user.id, {updateBoard:board.id});
res.status(200).send(pin);
} catch (err){
console.log(`Error uploading pin`, err);
res.status(500).send(SERVER_ERROR);
// only appy csrf if we don't have an x-api-key header. The value of the x-api-key will be validated by the auth middleware
app.use( (req,res,next) => {
let apiKey = req.headers["x-api-key"];
if ( apiKey ){
next();
} else {
csrf({cookie:true})(req,res,next);
}
});
// all other endpoints require csrf
app.use(csrf({cookie:true}));
// // all other endpoints require csrf
// app.use(csrf({cookie:true}));
// accept websocket connections. currently are parsing the userid from the path to
// map the connections to only notify on changes from the same user.
@ -397,6 +370,37 @@ module.exports = async () => {
});
// api method that are not subject to CSRF checks
// handle raw uploads for pin creation
app.post("/up", async (req, res) => {
try {
require("fs").writeFileSync("up.jpg", req.body);
// try to parse the image first... if this blows up we'll stop early
let image = await imageUtils.processImage(req.body);
let boardName = req.headers['board-name'].trim();
// get the board
let board = dao.findBoardByUserAndName(req.user.id, boardName);
if ( !board ){
board = dao.createBoard(req.user.id, boardName, 0);
}
let pin = dao.createPin(req.user.id, board.id, null, null, null, null, image.original.height, image.original.width, image.thumbnail.height, image.thumbnail.height);
await imageUtils.saveImage(req.user.id, pin.id, image);
broadcast(req.user.id, {updateBoard:board.id});
res.status(200).send(pin);
} catch (err){
console.log(`Error uploading pin`, err);
res.status(500).send(SERVER_ERROR);
}
});
// handle multipart uploads for pin creation