Improve web api protect (#6343)
This commit is contained in:
parent
204d72fbe4
commit
897199910f
9
app/controllers/api/web/base_controller.rb
Normal file
9
app/controllers/api/web/base_controller.rb
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class Api::Web::BaseController < Api::BaseController
|
||||||
|
protect_from_forgery with: :exception
|
||||||
|
|
||||||
|
rescue_from ActionController::InvalidAuthenticityToken do
|
||||||
|
render json: { error: "Can't verify CSRF token authenticity." }, status: 422
|
||||||
|
end
|
||||||
|
end
|
@ -1,6 +1,6 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::Web::EmbedsController < Api::BaseController
|
class Api::Web::EmbedsController < Api::Web::BaseController
|
||||||
respond_to :json
|
respond_to :json
|
||||||
|
|
||||||
before_action :require_user!
|
before_action :require_user!
|
||||||
|
@ -1,10 +1,9 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::Web::PushSubscriptionsController < Api::BaseController
|
class Api::Web::PushSubscriptionsController < Api::Web::BaseController
|
||||||
respond_to :json
|
respond_to :json
|
||||||
|
|
||||||
before_action :require_user!
|
before_action :require_user!
|
||||||
protect_from_forgery with: :exception
|
|
||||||
|
|
||||||
def create
|
def create
|
||||||
active_session = current_session
|
active_session = current_session
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::Web::SettingsController < Api::BaseController
|
class Api::Web::SettingsController < Api::Web::BaseController
|
||||||
respond_to :json
|
respond_to :json
|
||||||
|
|
||||||
before_action :require_user!
|
before_action :require_user!
|
||||||
|
@ -36,7 +36,7 @@ const subscribe = (registration) =>
|
|||||||
const unsubscribe = ({ registration, subscription }) =>
|
const unsubscribe = ({ registration, subscription }) =>
|
||||||
subscription ? subscription.unsubscribe().then(() => registration) : registration;
|
subscription ? subscription.unsubscribe().then(() => registration) : registration;
|
||||||
|
|
||||||
const sendSubscriptionToBackend = (getState, subscription) => {
|
const sendSubscriptionToBackend = (subscription) => {
|
||||||
const params = { subscription };
|
const params = { subscription };
|
||||||
|
|
||||||
if (me) {
|
if (me) {
|
||||||
@ -46,7 +46,7 @@ const sendSubscriptionToBackend = (getState, subscription) => {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return api(getState).post('/api/web/push_subscriptions', params).then(response => response.data);
|
return api().post('/api/web/push_subscriptions', params).then(response => response.data);
|
||||||
};
|
};
|
||||||
|
|
||||||
// Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload
|
// Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload
|
||||||
@ -85,13 +85,13 @@ export function register () {
|
|||||||
} else {
|
} else {
|
||||||
// Something went wrong, try to subscribe again
|
// Something went wrong, try to subscribe again
|
||||||
return unsubscribe({ registration, subscription }).then(subscribe).then(
|
return unsubscribe({ registration, subscription }).then(subscribe).then(
|
||||||
subscription => sendSubscriptionToBackend(getState, subscription));
|
subscription => sendSubscriptionToBackend(subscription));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// No subscription, try to subscribe
|
// No subscription, try to subscribe
|
||||||
return subscribe(registration).then(
|
return subscribe(registration).then(
|
||||||
subscription => sendSubscriptionToBackend(getState, subscription));
|
subscription => sendSubscriptionToBackend(subscription));
|
||||||
})
|
})
|
||||||
.then(subscription => {
|
.then(subscription => {
|
||||||
// If we got a PushSubscription (and not a subscription object from the backend)
|
// If we got a PushSubscription (and not a subscription object from the backend)
|
||||||
@ -134,7 +134,7 @@ export function saveSettings() {
|
|||||||
const alerts = state.get('alerts');
|
const alerts = state.get('alerts');
|
||||||
const data = { alerts };
|
const data = { alerts };
|
||||||
|
|
||||||
api(getState).put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
|
api().put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
|
||||||
data,
|
data,
|
||||||
}).then(() => {
|
}).then(() => {
|
||||||
if (me) {
|
if (me) {
|
||||||
|
@ -24,7 +24,7 @@ const debouncedSave = debounce((dispatch, getState) => {
|
|||||||
|
|
||||||
const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS();
|
const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS();
|
||||||
|
|
||||||
api(getState).put('/api/web/settings', { data })
|
api().put('/api/web/settings', { data })
|
||||||
.then(() => dispatch({ type: SETTING_SAVE }))
|
.then(() => dispatch({ type: SETTING_SAVE }))
|
||||||
.catch(error => dispatch(showAlertForError(error)));
|
.catch(error => dispatch(showAlertForError(error)));
|
||||||
}, 5000, { trailing: true });
|
}, 5000, { trailing: true });
|
||||||
|
Loading…
Reference in New Issue
Block a user