SyedM/infinsweeper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CSRF token support

Browse Source
This commit is contained in:
Syed Daanish
2025-09-03 15:36:28 +01:00
parent bdbf33098f
commit 0c2a8f3d98
7 changed files with 66 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
main.rb
View File

@@ -8,8 +8,6 @@ require "uri"
require "xxhash"
require "zlib"
load "logman.rb"
ALPHANUM = [*"0".."9", *"A".."Z", *"a".."z", "-", "_"].freeze
env_data = File.exist?(".env") ? File.read(".env") : ""
@@ -20,10 +18,9 @@ env_data.each_line do |line|
ENV_HASH[match[1]] = match[2]
end
load "logman.rb"
# Logman.log ENV_HASH.inspect
CODE_ENV = :dev
db_file = File.expand_path("infinsweeper.db")
DB = Sequel.connect("sqlite:///#{db_file}", single_threaded: false)
DB.run("PRAGMA foreign_keys = ON;")
@@ -40,6 +37,8 @@ get "/" do
@message = session.message || ""
session.message = ""
@signed_in = session.signed_in?.nil? ? false : true
@csrf_token = Array.new(32) { ALPHANUM.sample }.join
session["csrf_token"] = @csrf_token
ERB.new(File.read("index.erb")).result(binding)
end
@@ -53,23 +52,28 @@ post "/signup" do
uid = session["user"]
session.logout unless uid.nil? || $active_users[uid].nil?
data = JSON.parse(request.body.read)
unless session.csrf_auth?
status 401
return { "message" => "Unauthorized (invalid CSRF token)!" }.to_json
end
session["csrf_token"] = Array.new(32) { ALPHANUM.sample }.join
if data["email"].nil? || data["pass"].nil? || data["username"].nil?
status 400
return { "message" => "Bad request made!" }.to_json
return { "message" => "Bad request made!", "csrf_token" => session["csrf_token"] }.to_json
end
signup_status = Players.mk_player(data["username"], data["email"], data["pass"])
if signup_status[0] == 200
login_status = session.login(data["username"], data["pass"])
if login_status[0] == 200
status 200
return { "message" => login_status[1], "success" => "true" }.to_json
return { "message" => login_status[1], "success" => "true", "csrf_token" => session["csrf_token"] }.to_json
else
status login_status[0]
return { "message" => login_status[1] }.to_json
return { "message" => login_status[1], "csrf_token" => session["csrf_token"] }.to_json
end
end
status signup_status[0]
return { "message" => signup_status[1] }.to_json
return { "message" => signup_status[1], "csrf_token" => session["csrf_token"] }.to_json
end
get "/verify/:code" do
@@ -82,21 +86,30 @@ post "/login" do
data = JSON.parse(request.body.read)
session = Sessions.new request, response
uid = session["user"]
Logman.log(request.env["HTTP_X_CSRF_TOKEN"].to_s + " " + session["csrf_token"].to_s)
unless session.csrf_auth?
status 401
return { "message" => "Unauthorized (invalid CSRF token)!" }.to_json
end
session["csrf_token"] = Array.new(32) { ALPHANUM.sample }.join
if $active_users[uid] && !session.logout
status 500
return { "message" => "Internal server error when signing the existing session out!" }.to_json
return {
"message" => "Internal server error when signing the existing session out!",
"csrf_token" => session["csrf_token"],
}.to_json
end
if data["username"].nil? || data["pass"].nil?
status 400
return { "message" => "Bad request made!" }.to_json
return { "message" => "Bad request made!", "csrf_token" => session["csrf_token"] }.to_json
end
login_status = session.login(data["username"], data["pass"])
if login_status[0] == 200
status 200
return { "message" => login_status[1], "success" => "true" }.to_json
return { "message" => login_status[1], "success" => "true", "csrf_token" => session["csrf_token"] }.to_json
else
status login_status[0]
return { "message" => login_status[1] }.to_json
return { "message" => login_status[1], "csrf_token" => session["csrf_token"] }.to_json
end
end