jostreff/wireguard-ui
1
0
Fork 0
mirror of https://github.com/ngoduykhanh/wireguard-ui.git synced 2025-06-07 00:46:58 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: add content-type check to user management routes to mitigate CSRF

Browse source
This commit is contained in:
Marcus Wichelmann 2023-08-29 13:46:42 +02:00
parent b55543f424
commit 2a8edf38af
No known key found for this signature in database
GPG key ID: D9FC1B92E557C80D
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
main.go
View file

@ -146,15 +146,19 @@ func main() {
app.GET(util.BasePath, handler.WireGuardClients(db), handler.ValidSession) app.GET(util.BasePath, handler.WireGuardClients(db), handler.ValidSession)
// Important: Make sure that all non-GET routes check the request content type using handler.ContentTypeJson to
// mitigate CSRF attacks. This is effective, because browsers don't allow setting the Content-Type header on
// cross-origin requests.
if !util.DisableLogin { if !util.DisableLogin {
app.GET(util.BasePath+"/login", handler.LoginPage()) app.GET(util.BasePath+"/login", handler.LoginPage())
app.POST(util.BasePath+"/login", handler.Login(db)) app.POST(util.BasePath+"/login", handler.Login(db), handler.ContentTypeJson)
app.GET(util.BasePath+"/logout", handler.Logout(), handler.ValidSession) app.GET(util.BasePath+"/logout", handler.Logout(), handler.ValidSession)
app.GET(util.BasePath+"/profile", handler.LoadProfile(db), handler.ValidSession) app.GET(util.BasePath+"/profile", handler.LoadProfile(db), handler.ValidSession)
app.GET(util.BasePath+"/users-settings", handler.UsersSettings(db), handler.ValidSession, handler.NeedsAdmin) app.GET(util.BasePath+"/users-settings", handler.UsersSettings(db), handler.ValidSession, handler.NeedsAdmin)
app.POST(util.BasePath+"/update-user", handler.UpdateUser(db), handler.ValidSession) app.POST(util.BasePath+"/update-user", handler.UpdateUser(db), handler.ValidSession, handler.ContentTypeJson)
app.POST(util.BasePath+"/create-user", handler.CreateUser(db), handler.ValidSession, handler.NeedsAdmin) app.POST(util.BasePath+"/create-user", handler.CreateUser(db), handler.ValidSession, handler.ContentTypeJson, handler.NeedsAdmin)
app.POST(util.BasePath+"/remove-user", handler.RemoveUser(db), handler.ValidSession, handler.NeedsAdmin) app.POST(util.BasePath+"/remove-user", handler.RemoveUser(db), handler.ValidSession, handler.ContentTypeJson, handler.NeedsAdmin)
app.GET(util.BasePath+"/getusers", handler.GetUsers(db), handler.ValidSession, handler.NeedsAdmin) app.GET(util.BasePath+"/getusers", handler.GetUsers(db), handler.ValidSession, handler.NeedsAdmin)
app.GET(util.BasePath+"/api/user/:username", handler.GetUser(db), handler.ValidSession) app.GET(util.BasePath+"/api/user/:username", handler.GetUser(db), handler.ValidSession)
} }