Commit 6b49c55b authored by Thimo Kraemer's avatar Thimo Kraemer
Browse files

Added CSRF support

parent 3cbb7ca0
/* /*
* KSS-RPC v0.6-beta * KSS-RPC v0.7-beta
* *
* Copyright (c) 2017, joonis new media * Copyright (c) 2017, joonis new media
* Author: Thimo Kraemer <thimo.kraemer@joonis.de> * Author: Thimo Kraemer <thimo.kraemer@joonis.de>
...@@ -61,7 +61,7 @@ ...@@ -61,7 +61,7 @@
******************************************************************************************/ ******************************************************************************************/
var kss = { var kss = {
version: '0.6-beta', version: '0.7-beta',
_initialized: false, _initialized: false,
_ruleSheets: {}, _ruleSheets: {},
_eventBinders: {}, _eventBinders: {},
...@@ -76,7 +76,10 @@ var kss = { ...@@ -76,7 +76,10 @@ var kss = {
protocol: 'json-rpc', /* json-rpc | xml-rpc | url-encoded | json */ protocol: 'json-rpc', /* json-rpc | xml-rpc | url-encoded | json */
endpoint: '', endpoint: '',
dateEncoding: 'iso8601', /* @timestamp@ | asp.net | class-hinting */ dateEncoding: 'iso8601', /* @timestamp@ | asp.net | class-hinting */
timeout: 10000 timeout: 10000,
csrfSelector: null,
csrfCookie: null,
csrfHeader: null
} }
}; };
...@@ -934,56 +937,48 @@ kss.toQueryString = function(params) { ...@@ -934,56 +937,48 @@ kss.toQueryString = function(params) {
******************************************************************************************/ ******************************************************************************************/
kss.RPC = function(endpoint, options) { kss.RPC = function(endpoint, options) {
this._endpoint = endpoint; this._endpoint = endpoint;
//Set other default options // Set options
this._methodList = []; options = options || {}
// "json-rpc" || "xml-rpc" || "url-encoded" || "json" // Protocol
this._protocol = 'json-rpc'; this._protocol = (options.protocol || 'json-rpc').toLowerCase();
this._timeout = 10000; switch(this._protocol) {
// "iso8601" || "@timestamp@" || "class-hinting" || "asp.net" case 'json-rpc':
this._dateEncoding = 'iso8601'; case 'json-rpc-v1':
this._decodeISO8601 = true; // JSON only case 'json-rpc-v2':
case 'xml-rpc':
//Get the provided options case 'url-encoded':
if(options){ case 'json':
if(options.protocol) { break;
var protocol = options.protocol.toLowerCase(); default:
switch(protocol) { throw new Error('unknown protocol');
case 'json-rpc': }
case 'json-rpc-v1': this._timeout = parseInt(options.timeout || 10000);
case 'json-rpc-v2': // Date encoding
case 'xml-rpc': this._dateEncoding = (options.dateEncoding || 'iso8601').toLowerCase();
case 'url-encoded': switch(this._dateEncoding) {
case 'json': case 'iso8601':
this._protocol = protocol; case '@timestamp@':
break; case 'class-hinting':
default: case 'asp.net':
throw new Error('unknown protocol'); break;
} default:
} throw new Error('unknown dateEncoding');
if(options.timeout)
this._timeout = parseInt(options.timeout);
if(options.dateEncoding) {
var dateEncoding = options.dateEncoding.toLowerCase();
switch(dateEncoding) {
case 'iso8601':
case '@timestamp@':
case 'class-hinting':
case 'asp.net':
this._dateEncoding = dateEncoding;
break;
default:
throw new Error('unknown dateEncoding');
}
}
if(options.decodeISO8601 !== undefined)
this._decodeISO8601 = !!options.decodeISO8601;
if(options.methods == 'auto')
this._methodList = this.invoke("system.listMethods");
else if (options.methods)
this._methodList = options.methods.slice();
} }
this._decodeISO8601 = true; // JSON only
if (options.decodeISO8601 !== undefined)
this._decodeISO8601 = !!options.decodeISO8601;
// CSRF token
this._csrfSelector = options.csrfSelector;
this._csrfCookie = options.csrfCookie;
this._csrfHeader = options.csrfHeader;
// RPC methods
this._methodList = [];
if (options.methods == 'auto')
this._methodList = this.invoke("system.listMethods");
else if (options.methods)
this._methodList = options.methods.slice();
this._methodList.push('system.listMethods'); this._methodList.push('system.listMethods');
this._methodList.push('system.describe'); this._methodList.push('system.describe');
...@@ -1030,7 +1025,7 @@ kss.RPC.prototype.invoke = function(method, params, ...@@ -1030,7 +1025,7 @@ kss.RPC.prototype.invoke = function(method, params,
} }
var postData, headers; var postData, headers;
var url = this._endpoint; var url = kss.toAbsoluteURL(this._endpoint);
// Prepare the URL-ENCODED or JSON request // Prepare the URL-ENCODED or JSON request
if (this._protocol == 'url-encoded' || this._protocol == 'json') { if (this._protocol == 'url-encoded' || this._protocol == 'json') {
if (url && url.substr(-1) != '/') { if (url && url.substr(-1) != '/') {
...@@ -1073,6 +1068,23 @@ kss.RPC.prototype.invoke = function(method, params, ...@@ -1073,6 +1068,23 @@ kss.RPC.prototype.invoke = function(method, params,
}; };
} }
// CSRF token
var sameOrigin = !url.split('://')[1].indexOf(window.location.host);
if (sameOrigin && this._csrfHeader) {
var csrfToken;
if (this._csrfCookie) {
csrfToken = kss.getCookie(this._csrfCookie);
}
if (!csrfToken && this._csrfSelector) {
var el = kss.cssQuery(this._csrfSelector)[0];
if (el) {
csrfToken = kss.getDataAttr(el, 'csrftoken') || el.value;
}
}
if (csrfToken)
headers[this._csrfHeader] = csrfToken;
}
// Prevent caching // Prevent caching
url += (url.indexOf('?') < 0) ? '?' : '&'; url += (url.indexOf('?') < 0) ? '?' : '&';
url += '_ts=' + new Date().getTime(); url += '_ts=' + new Date().getTime();
...@@ -2179,6 +2191,14 @@ kss.openURL = function(href, _options) { ...@@ -2179,6 +2191,14 @@ kss.openURL = function(href, _options) {
} }
}; };
kss.getCookie = function(name) {
var regex = new RegExp('(^|;)\s*' + name + '\s*=([^;]*)');
var match = document.cookie.match(regex);
if (match)
return match[2].trim();
return null;
}
/******************************************************************************************* /*******************************************************************************************
* KSS Action Providers * KSS Action Providers
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment