From e2674c3b27174e408264b84f50bf86a13e2d3824 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Fri, 9 Feb 2024 17:29:29 +0300 Subject: Use fetch credentials instead of hash parameter for authenticated requests --- src/main/assets/scripts.js | 45 +++++++++------------- src/main/resources/templates/layouts/default.html | 2 +- .../java/com/juick/server/tests/ServerTests.java | 12 ++---- 3 files changed, 24 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/src/main/assets/scripts.js b/src/main/assets/scripts.js index f3aea835..3c83bba4 100644 --- a/src/main/assets/scripts.js +++ b/src/main/assets/scripts.js @@ -117,12 +117,9 @@ function initES() { return } let url = '/api/events' - let hash = document.getElementById('body').getAttribute('data-hash') - if (hash) { - url += '?hash=' + hash - } - - es = new EventSource(url) + es = new EventSource(url, { + withCredentials: true + }) es.onopen = function() { console.log('online') if (!document.querySelector('#wsthread')) { @@ -309,10 +306,10 @@ function showCommentForm(mid, rid) { } submitButton.disabled = true let formData = new FormData(form) - fetch('/api/comment' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/comment', { method: 'POST', body: formData, - credentials: 'omit' + credentials: 'include' }).then(handleErrors) .then(response => response.json()) .then(result => { @@ -427,10 +424,9 @@ function resultMessage(str) { function likeMessage(e, mid) { if (confirm(i18n('message.likeThisMessage?'))) { - fetch('/api/like?mid=' + mid - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/like?mid=' + mid, { method: 'POST', - credentials: 'omit' + credentials: 'include' }) .then(handleErrors) .then(function(response) { @@ -446,10 +442,9 @@ function likeMessage(e, mid) { } function subscribeMessage(e, mid) { - fetch('/api/subscribe?mid=' + mid - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/subscribe?mid=' + mid, { method: 'POST', - credentials: 'omit' + credentials: 'include' }) .then(handleErrors) .then(function(response) { @@ -468,9 +463,8 @@ function subscribeMessage(e, mid) { /******************************************************************************/ function setPrivacy(e, mid) { - fetch('/api/messages/set_privacy?mid=' + mid - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { - credentials: 'same-origin', + fetch('/api/messages/set_privacy?mid=' + mid, { + credentials: 'include', method: 'POST' }) .then(handleErrors) @@ -485,9 +479,8 @@ function setPrivacy(e, mid) { return false } function toggleWL(e, name) { - fetch('/api/users/wl?name=' + name - + '&hash=' + document.getElementById('body').getAttribute('data-hash'), { - credentials: 'same-origin', + fetch('/api/users/wl?name=' + name, { + credentials: 'include', method: 'POST' }) .then(handleErrors) @@ -559,12 +552,12 @@ const registerServiceWorker = () => { }, err => console.error(err) ).then(body => { - return fetch('/api/notifications?hash=' + document.getElementById('body').getAttribute('data-hash'), { + return fetch('/api/notifications', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, - credentials: 'same-origin', + credentials: 'include', body: JSON.stringify(body) }) }).then(response => { @@ -666,10 +659,10 @@ ready(() => { }) postmsg.addEventListener('submit', e => { let formData = new FormData(postmsg) - fetch('/api/post' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/post', { method: 'POST', body: formData, - credentials: 'omit' + credentials: 'include' }).then(handleErrors) .then(response => response.json()) .then(result => { @@ -687,10 +680,10 @@ ready(() => { /** @type {HTMLFormElement[]} */ (Array.from(document.querySelectorAll('.pmmsg'))).forEach(pmmsg => { pmmsg.addEventListener('submit', e => { let formData = new FormData(pmmsg) - fetch('/api/pm' + '?hash=' + document.getElementById('body').getAttribute('data-hash'), { + fetch('/api/pm', { method: 'POST', body: formData, - credentials: 'omit' + credentials: 'include' }).then(handleErrors) .then(response => response.json()) .then(result => { diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html index c3dac5d4..c9b4625a 100644 --- a/src/main/resources/templates/layouts/default.html +++ b/src/main/resources/templates/layouts/default.html @@ -35,7 +35,7 @@ - 0 %}data-hash="{{visitor.authHash}}"{% endif %}> +
{% include "views/partial/navigation" %}
diff --git a/src/test/java/com/juick/server/tests/ServerTests.java b/src/test/java/com/juick/server/tests/ServerTests.java index e74e8c6f..0724eb4f 100644 --- a/src/test/java/com/juick/server/tests/ServerTests.java +++ b/src/test/java/com/juick/server/tests/ServerTests.java @@ -1754,8 +1754,7 @@ public class ServerTests { public void hashLoginShouldNotUseSession() throws Exception { String hash = userService.getHashByUID(ugnich.getUid()); MvcResult hashLoginResult = mockMvc.perform(get("/?show=my&hash=" + hash)).andExpect(status().isOk()) - .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))) - .andExpect(content().string(containsString(hash))).andReturn(); + .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))).andReturn(); Cookie rememberMeFromHash = hashLoginResult.getResponse().getCookie("juick-remember-me"); MvcResult formLoginResult = mockMvc .perform(post("/login").with(csrf()).param("username", ugnichName).param("password", @@ -1763,19 +1762,16 @@ public class ServerTests { .andExpect(status().is3xxRedirection()).andReturn(); Cookie rememberMeFromForm = formLoginResult.getResponse().getCookie("juick-remember-me"); mockMvc.perform(get("/?show=my").cookie(rememberMeFromForm)).andExpect(status().isOk()) - .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))) - .andExpect(content().string(containsString(hash))); + .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))); mockMvc.perform(get("/?show=my").cookie(rememberMeFromHash)).andExpect(status().isOk()) - .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))) - .andExpect(content().string(containsString(hash))); + .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))); } @Test public void apiRequestsShouldAuthorizeWithCookie() throws Exception { String hash = userService.getHashByUID(ugnich.getUid()); MvcResult hashLoginResult = mockMvc.perform(get("/?show=my&hash=" + hash)).andExpect(status().isOk()) - .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))) - .andExpect(content().string(containsString(hash))).andReturn(); + .andExpect(model().attribute("visitor", hasProperty("authHash", equalTo(hash)))).andReturn(); Cookie rememberMeFromHash = hashLoginResult.getResponse().getCookie("juick-remember-me"); mockMvc.perform(get("/api/me").cookie(rememberMeFromHash)) .andExpect(status().isOk()); -- cgit v1.2.3