diff options
author | Andrew Dolgov <[email protected]> | 2021-03-14 14:17:18 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2021-03-14 14:17:18 +0300 |
commit | 1c9afba5f058adace5e005b51fc533882f9af0fa (patch) | |
tree | 99f4a228acf9f969d5411048c210338ba0fd126a /backend.php | |
parent | 2b8b845abe7c13ecbb266613910484310cffe8e1 (diff) |
* add CSRF protection to xhr requests
* force ORM to use SQLITE WAL
* add .editorconfig
* cleanup a few things
Diffstat (limited to 'backend.php')
-rw-r--r-- | backend.php | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/backend.php b/backend.php index 42fc5e9..0cbd6f4 100644 --- a/backend.php +++ b/backend.php @@ -27,6 +27,18 @@ $owner = $_SESSION["owner"] ?? ""; $op = $_REQUEST["op"] ?? ""; + if (!empty($_SESSION['owner'])) { + $csrf_ignore = [ "cover", "download", "getpagination" ]; + + $csrf_token = $_POST['csrf_token'] ?? ""; + + if (!in_array($op, $csrf_ignore) && !validate_csrf($csrf_token)) { + header($_SERVER["SERVER_PROTOCOL"]." 401 Unauthorized"); + echo "Unauthorized (CSRF)"; + exit; + } + } + switch ($op) { case "cover": $id = (int) $_REQUEST["id"]; @@ -55,10 +67,6 @@ } break; - case "getowner": - print json_encode(["owner" => $owner]); - break; - case "getinfo": $id = (int) $_REQUEST["id"]; @@ -300,6 +308,11 @@ } break; + case "logout": + logout_user(); + print json_encode(["result" => "OK"]); + break; + default: header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found"); echo "Method not found."; |