diff options
author | Vitaly Takmazov | 2024-02-09 17:29:29 +0300 |
---|---|---|
committer | Vitaly Takmazov | 2024-02-09 17:45:18 +0300 |
commit | e2674c3b27174e408264b84f50bf86a13e2d3824 (patch) | |
tree | 9f049f499d57780878034336ae7f2a19cd203b68 /src/main | |
parent | ab87188de28ae266aebf03fb429880cf293c6ee9 (diff) |
Use fetch credentials instead of hash parameter for authenticated requests
Diffstat (limited to 'src/main')
-rw-r--r-- | src/main/assets/scripts.js | 45 | ||||
-rw-r--r-- | src/main/resources/templates/layouts/default.html | 2 |
2 files changed, 20 insertions, 27 deletions
diff --git a/src/main/assets/scripts.js b/src/main/assets/scripts.js index f3aea835..3c83bba4 100644 --- a/src/main/assets/scripts.js +++ b/src/main/assets/scripts.js @@ -117,12 +117,9 @@ function initES() { return } let url = '/api/events' - let hash = document.getElementById('body').getAttribute('data-hash') - if (hash) { - url += '?hash=' + hash - } - - es = new EventSource(url) + es = new EventSource(url, { + withCredentials: true + }) es.onopen = function() { console.log('online') if (!document.querySelector('#wsthread')) { @@ -309,10 +306,10 @@ function showCommentForm(mid, rid) { } submitButton.disabled = true let formData = new FormData(form) - fetch('/api/comment' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/comment', { method: 'POST', body: formData, - credentials: 'omit' + credentials: 'include' }).then(handleErrors) .then(response => response.json()) .then(result => { @@ -427,10 +424,9 @@ function resultMessage(str) { function likeMessage(e, mid) { if (confirm(i18n('message.likeThisMessage?'))) { - fetch('/api/like?mid=' + mid - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/like?mid=' + mid, { method: 'POST', - credentials: 'omit' + credentials: 'include' }) .then(handleErrors) .then(function(response) { @@ -446,10 +442,9 @@ function likeMessage(e, mid) { } function subscribeMessage(e, mid) { - fetch('/api/subscribe?mid=' + mid - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/subscribe?mid=' + mid, { method: 'POST', - credentials: 'omit' + credentials: 'include' }) .then(handleErrors) .then(function(response) { @@ -468,9 +463,8 @@ function subscribeMessage(e, mid) { /******************************************************************************/ function setPrivacy(e, mid) { - fetch('/api/messages/set_privacy?mid=' + mid - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { - credentials: 'same-origin', + fetch('/api/messages/set_privacy?mid=' + mid, { + credentials: 'include', method: 'POST' }) .then(handleErrors) @@ -485,9 +479,8 @@ function setPrivacy(e, mid) { return false } function toggleWL(e, name) { - fetch('/api/users/wl?name=' + name - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { - credentials: 'same-origin', + fetch('/api/users/wl?name=' + name, { + credentials: 'include', method: 'POST' }) .then(handleErrors) @@ -559,12 +552,12 @@ const registerServiceWorker = () => { }, err => console.error(err) ).then(body => { - return fetch('/api/notifications?hash=' + document.getElementById('body').getAttribute('data-hash'), { + return fetch('/api/notifications', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, - credentials: 'same-origin', + credentials: 'include', body: JSON.stringify(body) }) }).then(response => { @@ -666,10 +659,10 @@ ready(() => { }) postmsg.addEventListener('submit', e => { let formData = new FormData(postmsg) - fetch('/api/post' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/post', { method: 'POST', body: formData, - credentials: 'omit' + credentials: 'include' }).then(handleErrors) .then(response => response.json()) .then(result => { @@ -687,10 +680,10 @@ ready(() => { /** @type {HTMLFormElement[]} */ (Array.from(document.querySelectorAll('.pmmsg'))).forEach(pmmsg => { pmmsg.addEventListener('submit', e => { let formData = new FormData(pmmsg) - fetch('/api/pm' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/pm', { method: 'POST', body: formData, - credentials: 'omit' + credentials: 'include' }).then(handleErrors) .then(response => response.json()) .then(result => { diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html index c3dac5d4..c9b4625a 100644 --- a/src/main/resources/templates/layouts/default.html +++ b/src/main/resources/templates/layouts/default.html @@ -35,7 +35,7 @@ <link rel="manifest" href="//i.juick.com/manifest.json" /> </head> -<body id="body" {% if visitor.uid > 0 %}data-hash="{{visitor.authHash}}"{% endif %}> +<body id="body"> <div id="app"> {% include "views/partial/navigation" %} <div id="content_wrapper"> |