Commit 6b49c55b authored by Thimo Kraemer's avatar Thimo Kraemer

Added CSRF support

parent 3cbb7ca0
/*
* KSS-RPC v0.6-beta
* KSS-RPC v0.7-beta
*
* Copyright (c) 2017, joonis new media
* Author: Thimo Kraemer <thimo.kraemer@joonis.de>
......@@ -61,7 +61,7 @@
******************************************************************************************/
var kss = {
version: '0.6-beta',
version: '0.7-beta',
_initialized: false,
_ruleSheets: {},
_eventBinders: {},
......@@ -76,7 +76,10 @@ var kss = {
protocol: 'json-rpc', /* json-rpc | xml-rpc | url-encoded | json */
endpoint: '',
dateEncoding: 'iso8601', /* @timestamp@ | asp.net | class-hinting */
timeout: 10000
timeout: 10000,
csrfSelector: null,
csrfCookie: null,
csrfHeader: null
}
};
......@@ -934,56 +937,48 @@ kss.toQueryString = function(params) {
******************************************************************************************/
kss.RPC = function(endpoint, options) {
this._endpoint = endpoint;
//Set other default options
this._methodList = [];
// "json-rpc" || "xml-rpc" || "url-encoded" || "json"
this._protocol = 'json-rpc';
this._timeout = 10000;
// "iso8601" || "@timestamp@" || "class-hinting" || "asp.net"
this._dateEncoding = 'iso8601';
this._decodeISO8601 = true; // JSON only
//Get the provided options
if(options){
if(options.protocol) {
var protocol = options.protocol.toLowerCase();
switch(protocol) {
case 'json-rpc':
case 'json-rpc-v1':
case 'json-rpc-v2':
case 'xml-rpc':
case 'url-encoded':
case 'json':
this._protocol = protocol;
break;
default:
throw new Error('unknown protocol');
}
}
if(options.timeout)
this._timeout = parseInt(options.timeout);
if(options.dateEncoding) {
var dateEncoding = options.dateEncoding.toLowerCase();
switch(dateEncoding) {
case 'iso8601':
case '@timestamp@':
case 'class-hinting':
case 'asp.net':
this._dateEncoding = dateEncoding;
break;
default:
throw new Error('unknown dateEncoding');
}
}
if(options.decodeISO8601 !== undefined)
this._decodeISO8601 = !!options.decodeISO8601;
if(options.methods == 'auto')
this._methodList = this.invoke("system.listMethods");
else if (options.methods)
this._methodList = options.methods.slice();
// Set options
options = options || {}
// Protocol
this._protocol = (options.protocol || 'json-rpc').toLowerCase();
switch(this._protocol) {
case 'json-rpc':
case 'json-rpc-v1':
case 'json-rpc-v2':
case 'xml-rpc':
case 'url-encoded':
case 'json':
break;
default:
throw new Error('unknown protocol');
}
this._timeout = parseInt(options.timeout || 10000);
// Date encoding
this._dateEncoding = (options.dateEncoding || 'iso8601').toLowerCase();
switch(this._dateEncoding) {
case 'iso8601':
case '@timestamp@':
case 'class-hinting':
case 'asp.net':
break;
default:
throw new Error('unknown dateEncoding');
}
this._decodeISO8601 = true; // JSON only
if (options.decodeISO8601 !== undefined)
this._decodeISO8601 = !!options.decodeISO8601;
// CSRF token
this._csrfSelector = options.csrfSelector;
this._csrfCookie = options.csrfCookie;
this._csrfHeader = options.csrfHeader;
// RPC methods
this._methodList = [];
if (options.methods == 'auto')
this._methodList = this.invoke("system.listMethods");
else if (options.methods)
this._methodList = options.methods.slice();
this._methodList.push('system.listMethods');
this._methodList.push('system.describe');
......@@ -1030,7 +1025,7 @@ kss.RPC.prototype.invoke = function(method, params,
}
var postData, headers;
var url = this._endpoint;
var url = kss.toAbsoluteURL(this._endpoint);
// Prepare the URL-ENCODED or JSON request
if (this._protocol == 'url-encoded' || this._protocol == 'json') {
if (url && url.substr(-1) != '/') {
......@@ -1073,6 +1068,23 @@ kss.RPC.prototype.invoke = function(method, params,
};
}
// CSRF token
var sameOrigin = !url.split('://')[1].indexOf(window.location.host);
if (sameOrigin && this._csrfHeader) {
var csrfToken;
if (this._csrfCookie) {
csrfToken = kss.getCookie(this._csrfCookie);
}
if (!csrfToken && this._csrfSelector) {
var el = kss.cssQuery(this._csrfSelector)[0];
if (el) {
csrfToken = kss.getDataAttr(el, 'csrftoken') || el.value;
}
}
if (csrfToken)
headers[this._csrfHeader] = csrfToken;
}
// Prevent caching
url += (url.indexOf('?') < 0) ? '?' : '&';
url += '_ts=' + new Date().getTime();
......@@ -2179,6 +2191,14 @@ kss.openURL = function(href, _options) {
}
};
kss.getCookie = function(name) {
var regex = new RegExp('(^|;)\s*' + name + '\s*=([^;]*)');
var match = document.cookie.match(regex);
if (match)
return match[2].trim();
return null;
}
/*******************************************************************************************
* KSS Action Providers
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment