Implement CSRF protection

author: AAGaming <aa@mail.catvibers.me> 2022-08-05 21:16:29 -0400
committer: AAGaming <aa@mail.catvibers.me> 2022-08-05 21:16:29 -0400
commit: f21d34506d0fd09d5849fcee552447cdfbf4802f (patch)
tree: fa7475021d12d54f5edb74489b9ecf81a16bd639 /backend/helpers.py
parent: ab6ec981604a32611d972ede634abe7ccd19b0d2 (diff)
download: decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.tar.gz
decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.zip
1 files changed, 14 insertions, 1 deletions
diff --git a/backend/helpers.py b/backend/helpers.py
index a75f1075..e8c2ce5b 100644
--- a/backend/helpers.py
+++ b/backend/helpers.py
@@ -1,7 +1,20 @@
+from aiohttp.web import middleware, Response
 import ssl
 import certifi
+import uuid
 
 ssl_ctx = ssl.create_default_context(cafile=certifi.where())
 
+csrf_token = str(uuid.uuid4())
+
 def get_ssl_context():
-    return ssl_ctx
-\ No newline at end of file
+    return ssl_ctx
+
+def get_csrf_token():
+    return csrf_token
+
+@middleware
+async def csrf_middleware(request, handler):
+    if str(request.method) == "OPTIONS" or request.headers.get('Authentication') == csrf_token or str(request.rel_url) == "/auth/token" or str(request.rel_url).startswith("/plugins/load_main/") or str(request.rel_url).startswith("/static/") or str(request.rel_url).startswith("/legacy/") or str(request.rel_url).startswith("/steam_resource/"):
+        return await handler(request)
+    return Response(text='Forbidden', status='403')
+\ No newline at end of file
author	AAGaming <aa@mail.catvibers.me>	2022-08-05 21:16:29 -0400
committer	AAGaming <aa@mail.catvibers.me>	2022-08-05 21:16:29 -0400
commit	f21d34506d0fd09d5849fcee552447cdfbf4802f (patch)
tree	fa7475021d12d54f5edb74489b9ecf81a16bd639 /backend/helpers.py
parent	ab6ec981604a32611d972ede634abe7ccd19b0d2 (diff)
download	decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.tar.gz decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.zip