Improve web api protect (#6343)

This commit is contained in:
abcang 2018-04-17 22:23:46 +09:00 committed by Eugen Rochko
parent 204d72fbe4
commit 897199910f
6 changed files with 18 additions and 10 deletions

View File

@ -0,0 +1,9 @@
# frozen_string_literal: true
class Api::Web::BaseController < Api::BaseController
protect_from_forgery with: :exception
rescue_from ActionController::InvalidAuthenticityToken do
render json: { error: "Can't verify CSRF token authenticity." }, status: 422
end
end

View File

@ -1,6 +1,6 @@
# frozen_string_literal: true
class Api::Web::EmbedsController < Api::BaseController
class Api::Web::EmbedsController < Api::Web::BaseController
respond_to :json
before_action :require_user!

View File

@ -1,10 +1,9 @@
# frozen_string_literal: true
class Api::Web::PushSubscriptionsController < Api::BaseController
class Api::Web::PushSubscriptionsController < Api::Web::BaseController
respond_to :json
before_action :require_user!
protect_from_forgery with: :exception
def create
active_session = current_session

View File

@ -1,6 +1,6 @@
# frozen_string_literal: true
class Api::Web::SettingsController < Api::BaseController
class Api::Web::SettingsController < Api::Web::BaseController
respond_to :json
before_action :require_user!

View File

@ -36,7 +36,7 @@ const subscribe = (registration) =>
const unsubscribe = ({ registration, subscription }) =>
subscription ? subscription.unsubscribe().then(() => registration) : registration;
const sendSubscriptionToBackend = (getState, subscription) => {
const sendSubscriptionToBackend = (subscription) => {
const params = { subscription };
if (me) {
@ -46,7 +46,7 @@ const sendSubscriptionToBackend = (getState, subscription) => {
}
}
return api(getState).post('/api/web/push_subscriptions', params).then(response => response.data);
return api().post('/api/web/push_subscriptions', params).then(response => response.data);
};
// Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload
@ -85,13 +85,13 @@ export function register () {
} else {
// Something went wrong, try to subscribe again
return unsubscribe({ registration, subscription }).then(subscribe).then(
subscription => sendSubscriptionToBackend(getState, subscription));
subscription => sendSubscriptionToBackend(subscription));
}
}
// No subscription, try to subscribe
return subscribe(registration).then(
subscription => sendSubscriptionToBackend(getState, subscription));
subscription => sendSubscriptionToBackend(subscription));
})
.then(subscription => {
// If we got a PushSubscription (and not a subscription object from the backend)
@ -134,7 +134,7 @@ export function saveSettings() {
const alerts = state.get('alerts');
const data = { alerts };
api(getState).put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
api().put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
data,
}).then(() => {
if (me) {

View File

@ -24,7 +24,7 @@ const debouncedSave = debounce((dispatch, getState) => {
const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS();
api(getState).put('/api/web/settings', { data })
api().put('/api/web/settings', { data })
.then(() => dispatch({ type: SETTING_SAVE }))
.catch(error => dispatch(showAlertForError(error)));
}, 5000, { trailing: true });