imgfloat/server
1
0
Fork 0
mirror of https://github.com/imgfloat/server.git synced 2026-02-05 03:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Setup access denied and csrf

Browse Source
This commit is contained in:
Andreas Krühlmann
2026-01-05 17:25:12 +01:00
parent f14201b5d1
commit 0035ec2ceb
5 changed files with 119 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/main/resources/static/js/csrf.js Normal file
View File

@@ -0,0 +1,41 @@
(function () {
const CSRF_COOKIE_NAME = "XSRF-TOKEN";
const DEFAULT_HEADER_NAME = "X-XSRF-TOKEN";
const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS", "TRACE"]);
const originalFetch = window.fetch;
function getCookie(name) {
return document.cookie
.split(";")
.map((c) => c.trim())
.filter((c) => c.startsWith(name + "="))
.map((c) => c.substring(name.length + 1))[0];
}
function isSameOrigin(url) {
const parsed = new URL(url, window.location.href);
return parsed.origin === window.location.origin;
}
function getMeta(name) {
const el = document.querySelector(`meta[name=\"${name}\"]`);
return el ? el.getAttribute("content") : null;
}
window.fetch = function patchedFetch(input, init = {}) {
const request = new Request(input, init);
const method = (request.method || "GET").toUpperCase();
if (!SAFE_METHODS.has(method) && isSameOrigin(request.url)) {
const token = getCookie(CSRF_COOKIE_NAME) || getMeta("_csrf");
const headerName = getMeta("_csrf_header") || DEFAULT_HEADER_NAME;
if (token) {
const headers = new Headers(request.headers || {});
headers.set(headerName, token);
return originalFetch(new Request(request, { headers }));
}
}
return originalFetch(request);
};
})();

3
src/main/resources/templates/admin.html
View File

@@ -3,6 +3,8 @@
<head>
<meta charset="UTF-8" />
<title>Imgfloat Admin</title>
<meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />
<link rel="icon" href="/favicon.ico" />
<link rel="stylesheet" href="/css/styles.css" />
<link
@@ -14,6 +16,7 @@
/>
<script src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/stompjs@2.3.3/lib/stomp.min.js"></script>
<script src="/js/csrf.js"></script>
</head>
<body class="admin-body">
<div class="admin-frame">

3
src/main/resources/templates/dashboard.html
View File

@@ -3,6 +3,8 @@
<head>
<meta charset="UTF-8" />
<title>Imgfloat Dashboard</title>
<meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />
<link rel="icon" href="/favicon.ico" />
<link rel="stylesheet" href="/css/styles.css" />
</head>
@@ -109,6 +111,7 @@
<section class="card download-card-block" th:insert="fragments/downloads :: downloads"></section>
</div>
<script src="/js/cookie-consent.js"></script>
<script src="/js/csrf.js"></script>
<script src="/js/toast.js"></script>
<script src="/js/downloads.js"></script>
<script th:inline="javascript">

3
src/main/resources/templates/settings.html
View File

@@ -3,6 +3,8 @@
<head>
<meta charset="UTF-8" />
<title>Imgfloat Admin</title>
<meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />
<link rel="icon" href="/favicon.ico" />
<link rel="stylesheet" href="/css/styles.css" />
<link
@@ -14,6 +16,7 @@
/>
<script src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/stompjs@2.3.3/lib/stomp.min.js"></script>
<script src="/js/csrf.js"></script>
</head>
<body class="settings-body">
<div class="settings-shell">