mirror of
https://github.com/simple-login/app.git
synced 2024-09-21 01:11:29 +02:00
Restrict cookie usage on api endpoints (#2151)
This commit is contained in:
parent
cccd65d93a
commit
5d48b5878f
@ -5,6 +5,7 @@ import arrow
|
||||
from flask import Blueprint, request, jsonify, g
|
||||
from flask_login import current_user
|
||||
|
||||
from app import constants
|
||||
from app.db import Session
|
||||
from app.models import ApiKey
|
||||
|
||||
@ -18,7 +19,9 @@ def authorize_request() -> Optional[Tuple[str, int]]:
|
||||
api_key = ApiKey.get_by(code=api_code)
|
||||
|
||||
if not api_key:
|
||||
if current_user.is_authenticated:
|
||||
if current_user.is_authenticated and request.headers.get(
|
||||
constants.HEADER_ALLOW_API_COOKIES
|
||||
):
|
||||
g.user = current_user
|
||||
else:
|
||||
return jsonify(error="Wrong api key"), 401
|
||||
|
1
app/constants.py
Normal file
1
app/constants.py
Normal file
@ -0,0 +1 @@
|
||||
HEADER_ALLOW_API_COOKIES = "X-Sl-Allowcookies"
|
@ -29,7 +29,7 @@ from sentry_sdk.integrations.flask import FlaskIntegration
|
||||
from sentry_sdk.integrations.sqlalchemy import SqlalchemyIntegration
|
||||
from werkzeug.middleware.proxy_fix import ProxyFix
|
||||
|
||||
from app import paddle_utils, config, paddle_callback
|
||||
from app import paddle_utils, config, paddle_callback, constants
|
||||
from app.admin_model import (
|
||||
SLAdminIndexView,
|
||||
UserAdmin,
|
||||
@ -430,6 +430,7 @@ def jinja2_filter(app):
|
||||
PAGE_LIMIT=PAGE_LIMIT,
|
||||
ZENDESK_ENABLED=ZENDESK_ENABLED,
|
||||
MAX_NB_EMAIL_FREE_PLAN=MAX_NB_EMAIL_FREE_PLAN,
|
||||
HEADER_ALLOW_API_COOKIES=constants.HEADER_ALLOW_API_COOKIES,
|
||||
)
|
||||
|
||||
|
||||
|
@ -264,6 +264,7 @@
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
'{{HEADER_ALLOW_API_COOKIES}}': 'allow'
|
||||
}
|
||||
});
|
||||
|
||||
|
@ -80,7 +80,10 @@
|
||||
},
|
||||
methods: {
|
||||
generateRandomAlias: async function (event) {
|
||||
let result = await fetch('/api/alias/random/new', {method: 'POST'});
|
||||
let result = await fetch('/api/alias/random/new', {method: 'POST',
|
||||
headers: {
|
||||
'{{HEADER_ALLOW_API_COOKIES}}': 'allow'
|
||||
}});
|
||||
if (result.ok) {
|
||||
let data = await result.json();
|
||||
this.ticket_email = data.alias;
|
||||
|
@ -216,6 +216,7 @@
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
'{{HEADER_ALLOW_API_COOKIES}}': 'allow'
|
||||
}
|
||||
});
|
||||
|
||||
@ -232,6 +233,7 @@
|
||||
method: "GET",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
'{{HEADER_ALLOW_API_COOKIES}}': 'allow'
|
||||
}
|
||||
});
|
||||
if (res.ok) {
|
||||
@ -249,6 +251,7 @@
|
||||
method: "GET",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
'{{HEADER_ALLOW_API_COOKIES}}': 'allow'
|
||||
}
|
||||
});
|
||||
if (res.ok) {
|
||||
|
@ -87,6 +87,7 @@
|
||||
method: "GET",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
'{{HEADER_ALLOW_API_COOKIES}}': 'allow'
|
||||
}
|
||||
});
|
||||
if (res.ok) {
|
||||
|
Loading…
Reference in New Issue
Block a user