From e2674c3b27174e408264b84f50bf86a13e2d3824 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Fri, 9 Feb 2024 17:29:29 +0300
Subject: Use fetch credentials instead of hash parameter for authenticated
 requests

---
 src/main/assets/scripts.js | 45 +++++++++++++++++++--------------------------
 1 file changed, 19 insertions(+), 26 deletions(-)

(limited to 'src/main/assets')

diff --git a/src/main/assets/scripts.js b/src/main/assets/scripts.js
index f3aea835..3c83bba4 100644
--- a/src/main/assets/scripts.js
+++ b/src/main/assets/scripts.js
@@ -117,12 +117,9 @@ function initES() {
         return
     }
     let url = '/api/events'
-    let hash = document.getElementById('body').getAttribute('data-hash')
-    if (hash) {
-        url += '?hash=' + hash
-    }
-
-    es = new EventSource(url)
+    es = new EventSource(url, {
+        withCredentials: true
+    })
     es.onopen = function() {
         console.log('online')
         if (!document.querySelector('#wsthread')) {
@@ -309,10 +306,10 @@ function showCommentForm(mid, rid) {
             }
             submitButton.disabled = true
             let formData = new FormData(form)
-            fetch('/api/comment' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+            fetch('/api/comment', {
                 method: 'POST',
                 body: formData,
-                credentials: 'omit'
+                credentials: 'include'
             }).then(handleErrors)
                 .then(response => response.json())
                 .then(result => {
@@ -427,10 +424,9 @@ function resultMessage(str) {
 
 function likeMessage(e, mid) {
     if (confirm(i18n('message.likeThisMessage?'))) {
-        fetch('/api/like?mid=' + mid
-            + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
+        fetch('/api/like?mid=' + mid, {
             method: 'POST',
-            credentials: 'omit'
+            credentials: 'include'
         })
             .then(handleErrors)
             .then(function(response) {
@@ -446,10 +442,9 @@ function likeMessage(e, mid) {
 }
 
 function subscribeMessage(e, mid) {
-    fetch('/api/subscribe?mid=' + mid
-        + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
+    fetch('/api/subscribe?mid=' + mid, {
         method: 'POST',
-        credentials: 'omit'
+        credentials: 'include'
     })
         .then(handleErrors)
         .then(function(response) {
@@ -468,9 +463,8 @@ function subscribeMessage(e, mid) {
 /******************************************************************************/
 
 function setPrivacy(e, mid) {
-    fetch('/api/messages/set_privacy?mid=' + mid
-        + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
-        credentials: 'same-origin',
+    fetch('/api/messages/set_privacy?mid=' + mid, {
+        credentials: 'include',
         method: 'POST'
     })
         .then(handleErrors)
@@ -485,9 +479,8 @@ function setPrivacy(e, mid) {
     return false
 }
 function toggleWL(e, name) {
-    fetch('/api/users/wl?name=' + name
-        + '&hash=' + document.getElementById('body').getAttribute('data-hash'), {
-        credentials: 'same-origin',
+    fetch('/api/users/wl?name=' + name, {
+        credentials: 'include',
         method: 'POST'
     })
         .then(handleErrors)
@@ -559,12 +552,12 @@ const registerServiceWorker = () => {
         },
         err => console.error(err)
     ).then(body => {
-        return fetch('/api/notifications?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+        return fetch('/api/notifications', {
             method: 'PUT',
             headers: {
                 'Content-Type': 'application/json'
             },
-            credentials: 'same-origin',
+            credentials: 'include',
             body: JSON.stringify(body)
         })
     }).then(response => {
@@ -666,10 +659,10 @@ ready(() => {
         })
         postmsg.addEventListener('submit', e => {
             let formData = new FormData(postmsg)
-            fetch('/api/post' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+            fetch('/api/post', {
                 method: 'POST',
                 body: formData,
-                credentials: 'omit'
+                credentials: 'include'
             }).then(handleErrors)
                 .then(response => response.json())
                 .then(result => {
@@ -687,10 +680,10 @@ ready(() => {
     /** @type {HTMLFormElement[]} */ (Array.from(document.querySelectorAll('.pmmsg'))).forEach(pmmsg => {
         pmmsg.addEventListener('submit', e => {
             let formData = new FormData(pmmsg)
-            fetch('/api/pm' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), {
+            fetch('/api/pm', {
                 method: 'POST',
                 body: formData,
-                credentials: 'omit'
+                credentials: 'include'
             }).then(handleErrors)
                 .then(response => response.json())
                 .then(result => {
-- 
cgit v1.2.3