Added CSRF support

6b49c55b · Thimo Kraemer · 3cbb7ca0 · 6b49c55b · 6b49c55b
Commit 6b49c55b authored Oct 08, 2018 by Thimo Kraemer
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 74 additions and 54 deletions

kss.js kss.js +72 -52

kss.min.js kss.min.js +2 -2

No files found.
--- a/kss.js
+++ b/kss.js
 /*
-*  KSS-RPC v0.6-beta
+*  KSS-RPC v0.7-beta
 *
 *  Copyright (c) 2017, joonis new media
 *  Author: Thimo Kraemer <thimo.kraemer@joonis.de>
@@ -61,7 +61,7 @@
 ******************************************************************************************/

 var kss = {
-    version: '0.6-beta',
+    version: '0.7-beta',
    _initialized: false,
    _ruleSheets: {},
    _eventBinders: {},
@@ -76,7 +76,10 @@ var kss = {
        protocol: 'json-rpc', /* json-rpc | xml-rpc | url-encoded | json */
        endpoint: '',
        dateEncoding: 'iso8601', /* @timestamp@ | asp.net | class-hinting */
-        timeout: 10000
+        timeout: 10000,
+        csrfSelector: null,
+        csrfCookie: null,
+        csrfHeader: null
        }
 };

@@ -934,56 +937,48 @@ kss.toQueryString = function(params) {
 ******************************************************************************************/

 kss.RPC = function(endpoint, options) {
-
+    
    this._endpoint = endpoint;
-    //Set other default options
-    this._methodList = [];
-    // "json-rpc" || "xml-rpc" || "url-encoded" || "json"
-    this._protocol = 'json-rpc';
-    this._timeout = 10000;
-    // "iso8601" || "@timestamp@" || "class-hinting" || "asp.net"
-    this._dateEncoding = 'iso8601';
-    this._decodeISO8601 = true; // JSON only
-
-    //Get the provided options
-    if(options){
-        if(options.protocol) {
-            var protocol = options.protocol.toLowerCase();
-            switch(protocol) {
-                case 'json-rpc':
-                case 'json-rpc-v1':
-                case 'json-rpc-v2':
-                case 'xml-rpc':
-                case 'url-encoded':
-                case 'json':
-                    this._protocol = protocol;
-                    break;
-                default:
-                    throw new Error('unknown protocol');
-            }
-        }
-        if(options.timeout)
-            this._timeout = parseInt(options.timeout);
-        if(options.dateEncoding) {
-            var dateEncoding = options.dateEncoding.toLowerCase();
-            switch(dateEncoding) {
-                case 'iso8601':
-                case '@timestamp@':
-                case 'class-hinting':
-                case 'asp.net':
-                    this._dateEncoding = dateEncoding;
-                    break;
-                default:
-                    throw new Error('unknown dateEncoding');
-            }
-        }
-        if(options.decodeISO8601 !== undefined)
-            this._decodeISO8601 = !!options.decodeISO8601;
-        if(options.methods == 'auto')
-            this._methodList = this.invoke("system.listMethods");
-        else if (options.methods)
-            this._methodList = options.methods.slice();
+    // Set options
+    options = options || {}
+    // Protocol
+    this._protocol = (options.protocol || 'json-rpc').toLowerCase();
+    switch(this._protocol) {
+        case 'json-rpc':
+        case 'json-rpc-v1':
+        case 'json-rpc-v2':
+        case 'xml-rpc':
+        case 'url-encoded':
+        case 'json':
+            break;
+        default:
+            throw new Error('unknown protocol');
+    }
+    this._timeout = parseInt(options.timeout || 10000);
+    // Date encoding
+    this._dateEncoding = (options.dateEncoding || 'iso8601').toLowerCase();
+    switch(this._dateEncoding) {
+        case 'iso8601':
+        case '@timestamp@':
+        case 'class-hinting':
+        case 'asp.net':
+            break;
+        default:
+            throw new Error('unknown dateEncoding');
    }
+    this._decodeISO8601 = true; // JSON only
+    if (options.decodeISO8601 !== undefined)
+        this._decodeISO8601 = !!options.decodeISO8601;
+    // CSRF token
+    this._csrfSelector = options.csrfSelector;
+    this._csrfCookie = options.csrfCookie;
+    this._csrfHeader = options.csrfHeader;
+    // RPC methods
+    this._methodList = [];
+    if (options.methods == 'auto')
+        this._methodList = this.invoke("system.listMethods");
+    else if (options.methods)
+        this._methodList = options.methods.slice();
    this._methodList.push('system.listMethods');
    this._methodList.push('system.describe');

@@ -1030,7 +1025,7 @@ kss.RPC.prototype.invoke = function(method, params,
    }

    var postData, headers;
-    var url = this._endpoint;
+    var url = kss.toAbsoluteURL(this._endpoint);
    // Prepare the URL-ENCODED or JSON request
    if (this._protocol == 'url-encoded' || this._protocol == 'json') {
        if (url && url.substr(-1) != '/') {
@@ -1073,6 +1068,23 @@ kss.RPC.prototype.invoke = function(method, params,
        };
    }
    
+    // CSRF token
+    var sameOrigin = !url.split('://')[1].indexOf(window.location.host);
+    if (sameOrigin && this._csrfHeader) {
+        var csrfToken;
+        if (this._csrfCookie) { 
+            csrfToken = kss.getCookie(this._csrfCookie);
+        }
+        if (!csrfToken && this._csrfSelector) {
+            var el = kss.cssQuery(this._csrfSelector)[0];
+            if (el) {
+                csrfToken = kss.getDataAttr(el, 'csrftoken') || el.value;
+            }
+        }
+        if (csrfToken)
+            headers[this._csrfHeader] = csrfToken;
+    }
+    
    // Prevent caching
    url += (url.indexOf('?') < 0) ? '?' : '&';
    url += '_ts=' + new Date().getTime();
@@ -2179,6 +2191,14 @@ kss.openURL = function(href, _options) {
    }
 };

+kss.getCookie = function(name) {
+    var regex = new RegExp('(^|;)\s*' + name + '\s*=([^;]*)');
+    var match = document.cookie.match(regex);
+    if (match)
+        return match[2].trim();
+    return null;
+}
+

 /*******************************************************************************************
 * KSS Action Providers

--- a/kss.min.js
+++ b/kss.min.js