maciej/yarr
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

simple csrf protection

Browse source
This commit is contained in:
Nazar Kanaev 2021-01-04 14:15:28 +00:00
parent fa0237b546
commit d6c2ba5812
2 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
server/server.go
View file

@ -43,6 +43,10 @@ func (h *Handler) Start() {
}
}
func unsafeMethod(method string) bool {
return method == "POST" || method == "PUT" || method == "DELETE"
}
func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
route, vars := getRoute(req)
if route == nil {
@ -51,6 +55,10 @@ func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
}
if h.requiresAuth() && !route.manualAuth {
if unsafeMethod(req.Method) && req.Header.Get("X-Requested-By") != "yarr" {
rw.WriteHeader(http.StatusUnauthorized)
return
}
if !userIsAuthenticated(req, h.Username, h.Password) {
rw.WriteHeader(http.StatusUnauthorized)
return