aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGravatar Vitaly Takmazov2024-02-09 17:29:29 +0300
committerGravatar Vitaly Takmazov2024-02-09 17:45:18 +0300
commite2674c3b27174e408264b84f50bf86a13e2d3824 (patch)
tree9f049f499d57780878034336ae7f2a19cd203b68 /src
parentab87188de28ae266aebf03fb429880cf293c6ee9 (diff)
Use fetch credentials instead of hash parameter for authenticated requests
Diffstat (limited to 'src')
-rw-r--r--src/main/assets/scripts.js45
-rw-r--r--src/main/resources/templates/layouts/default.html2
-rw-r--r--src/test/java/com/juick/server/tests/ServerTests.java12
3 files changed, 24 insertions, 35 deletions
diff --git a/src/main/assets/scripts.js b/src/main/assets/scripts.js
index f3aea835..3c83bba4 100644
--- a/src/main/assets/scripts.js
+++ b/src/main/assets/scripts.js
@@ -117,12 +117,9 @@ function initES() {
return
}
let url = '/api/events'
- let hash = document.getElementById('body').getAttribute('data-hash')
- if (hash) {
- url += '?hash=' + hash
- }
-
- es = new EventSource(url)
+ es = new EventSource(url, {
+ withCredentials: true
+ })
es.onopen = function() {
console.log('online')
if (!document.querySelector('#wsthread')) {
@@ -309,10 +306,10 @@ function showCommentForm(mid, rid) {
}
submitButton.disabled = true
let formData = new FormData(form)
- fetch('/api/comment' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+ fetch('/api/comment', {
method: 'POST',
body: formData,
- credentials: 'omit'
+ credentials: 'include'
}).then(handleErrors)
.then(response => response.json())
.then(result => {
@@ -427,10 +424,9 @@ function resultMessage(str) {
function likeMessage(e, mid) {
if (confirm(i18n('message.likeThisMessage?'))) {
- fetch('/api/like?mid=' + mid
- + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
+ fetch('/api/like?mid=' + mid, {
method: 'POST',
- credentials: 'omit'
+ credentials: 'include'
})
.then(handleErrors)
.then(function(response) {
@@ -446,10 +442,9 @@ function likeMessage(e, mid) {
}
function subscribeMessage(e, mid) {
- fetch('/api/subscribe?mid=' + mid
- + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
+ fetch('/api/subscribe?mid=' + mid, {
method: 'POST',
- credentials: 'omit'
+ credentials: 'include'
})
.then(handleErrors)
.then(function(response) {
@@ -468,9 +463,8 @@ function subscribeMessage(e, mid) {
/******************************************************************************/
function setPrivacy(e, mid) {
- fetch('/api/messages/set_privacy?mid=' + mid
- + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
- credentials: 'same-origin',
+ fetch('/api/messages/set_privacy?mid=' + mid, {
+ credentials: 'include',
method: 'POST'
})
.then(handleErrors)
@@ -485,9 +479,8 @@ function setPrivacy(e, mid) {
return false
}
function toggleWL(e, name) {
- fetch('/api/users/wl?name=' + name
- + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
- credentials: 'same-origin',
+ fetch('/api/users/wl?name=' + name, {
+ credentials: 'include',
method: 'POST'
})
.then(handleErrors)
@@ -559,12 +552,12 @@ const registerServiceWorker = () => {
},
err => console.error(err)
).then(body => {
- return fetch('/api/notifications?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+ return fetch('/api/notifications', {
method: 'PUT',
headers: {
'Content-Type': 'application/json'
},
- credentials: 'same-origin',
+ credentials: 'include',
body: JSON.stringify(body)
})
}).then(response => {
@@ -666,10 +659,10 @@ ready(() => {
})
postmsg.addEventListener('submit', e => {
let formData = new FormData(postmsg)
- fetch('/api/post' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+ fetch('/api/post', {
method: 'POST',
body: formData,
- credentials: 'omit'
+ credentials: 'include'
}).then(handleErrors)
.then(response => response.json())
.then(result => {
@@ -687,10 +680,10 @@ ready(() => {
/** @type {HTMLFormElement[]} */ (Array.from(document.querySelectorAll('.pmmsg'))).forEach(pmmsg => {
pmmsg.addEventListener('submit', e => {
let formData = new FormData(pmmsg)
- fetch('/api/pm' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+ fetch('/api/pm', {
method: 'POST',
body: formData,
- credentials: 'omit'
+ credentials: 'include'
}).then(handleErrors)
.then(response => response.json())
.then(result => {
diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html
index c3dac5d4..c9b4625a 100644
--- a/src/main/resources/templates/layouts/default.html
+++ b/src/main/resources/templates/layouts/default.html
@@ -35,7 +35,7 @@
<link rel="manifest" href="//i.juick.com/manifest.json" />
</head>
-<body id="body" {% if visitor.uid > 0 %}data-hash="{{visitor.authHash}}"{% endif %}>
+<body id="body">
<div id="app">
{% include "views/partial/navigation" %}
<div id="content_wrapper">
diff --git a/src/test/java/com/juick/server/tests/ServerTests.java b/src/test/java/com/juick/server/tests/ServerTests.java
index e74e8c6f..0724eb4f 100644
--- a/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/src/test/java/com/juick/server/tests/ServerTests.java
@@ -1754,8 +1754,7 @@ public class ServerTests {
public void hashLoginShouldNotUseSession() throws Exception {
String hash = userService.getHashByUID(ugnich.getUid());
MvcResult hashLoginResult = mockMvc.perform(get("/?show=my&hash=" + hash)).andExpect(status().isOk())
- .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash))))
- .andExpect(content().string(containsString(hash))).andReturn();
+ .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))).andReturn();
Cookie rememberMeFromHash = hashLoginResult.getResponse().getCookie("juick-remember-me");
MvcResult formLoginResult = mockMvc
.perform(post("/login").with(csrf()).param("username", ugnichName).param("password",
@@ -1763,19 +1762,16 @@ public class ServerTests {
.andExpect(status().is3xxRedirection()).andReturn();
Cookie rememberMeFromForm = formLoginResult.getResponse().getCookie("juick-remember-me");
mockMvc.perform(get("/?show=my").cookie(rememberMeFromForm)).andExpect(status().isOk())
- .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash))))
- .andExpect(content().string(containsString(hash)));
+ .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash))));
mockMvc.perform(get("/?show=my").cookie(rememberMeFromHash)).andExpect(status().isOk())
- .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash))))
- .andExpect(content().string(containsString(hash)));
+ .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash))));
}
@Test
public void apiRequestsShouldAuthorizeWithCookie() throws Exception {
String hash = userService.getHashByUID(ugnich.getUid());
MvcResult hashLoginResult = mockMvc.perform(get("/?show=my&hash=" + hash)).andExpect(status().isOk())
- .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash))))
- .andExpect(content().string(containsString(hash))).andReturn();
+ .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))).andReturn();
Cookie rememberMeFromHash = hashLoginResult.getResponse().getCookie("juick-remember-me");
mockMvc.perform(get("/api/me").cookie(rememberMeFromHash))
.andExpect(status().isOk());