kimendisch/sbgg.jetzt
kimendisch
/
sbgg.jetzt
1
3
Fork 1
Code Issues 7 Pull Requests Projects Activity

🔒 use cookieless csrf protection for uncritical requests

This commit is contained in:
DrMaxNix 2024-02-18 21:07:52 +01:00
parent 3eb5826189
commit 82a49597d0
6 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
api/newsletter/subscribe.php
View File

@ -1,9 +1,18 @@
<?php
declare(strict_types = 1);
namespace Kimendisch\Sbgg_Jetzt;
use Flake\Excuse;
use Flake\Error;
use Flake\Id64;
// CHECK CSRF PROTECTION //
$x_cookieless_csrf_protection = getallheaders()["x-cookieless-csrf-protection"] ?? null;
if($x_cookieless_csrf_protection !== "42"){
// show an excuse page
Excuse::show("invalid_csrf_token");
}
// DECODE REQUEST //
// get json string
$json_body = file_get_contents("php://input");

9
api/newsletter/unsubscribe.php
View File

@ -1,9 +1,18 @@
<?php
declare(strict_types = 1);
namespace Kimendisch\Sbgg_Jetzt;
use Flake\Excuse;
use Flake\Error;
use Flake\Id64;
// CHECK CSRF PROTECTION //
$x_cookieless_csrf_protection = getallheaders()["x-cookieless-csrf-protection"] ?? null;
if($x_cookieless_csrf_protection !== "42"){
// show an excuse page
Excuse::show("invalid_csrf_token");
}
// DECODE REQUEST //
// get json string
$json_body = file_get_contents("php://input");

9
api/newsletter/verify.php
View File

@ -1,8 +1,17 @@
<?php
declare(strict_types = 1);
namespace Kimendisch\Sbgg_Jetzt;
use Flake\Excuse;
use Flake\Error;
// CHECK CSRF PROTECTION //
$x_cookieless_csrf_protection = getallheaders()["x-cookieless-csrf-protection"] ?? null;
if($x_cookieless_csrf_protection !== "42"){
// show an excuse page
Excuse::show("invalid_csrf_token");
}
// DECODE REQUEST //
// get json string
$json_body = file_get_contents("php://input");

1
page/newsletter/subscribe/main.js
View File

@ -56,6 +56,7 @@ async function newsletter_submit(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "/api/newsletter/subscribe", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("x-cookieless-csrf-protection", "42");
xhr.send(JSON.stringify({
mail_address: mail_address,
verify_key: verify_key

1
page/newsletter/unsubscribe/main.js
View File

@ -56,6 +56,7 @@ async function newsletter_submit(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "/api/newsletter/unsubscribe", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("x-cookieless-csrf-protection", "42");
xhr.send(JSON.stringify({
mail_address: mail_address,
unsubscribe_key: unsubscribe_key

1
page/start/newsletter.js
View File

@ -192,6 +192,7 @@ async function newsletter_submit(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "/api/newsletter/verify", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("x-cookieless-csrf-protection", "42");
xhr.send(JSON.stringify({
mail_address: mail_address,
language: language