diff options
| author | AAGaming <aa@mail.catvibers.me> | 2022-08-05 21:16:29 -0400 |
|---|---|---|
| committer | AAGaming <aa@mail.catvibers.me> | 2022-08-05 21:16:29 -0400 |
| commit | f21d34506d0fd09d5849fcee552447cdfbf4802f (patch) | |
| tree | fa7475021d12d54f5edb74489b9ecf81a16bd639 /backend/legacy | |
| parent | ab6ec981604a32611d972ede634abe7ccd19b0d2 (diff) | |
| download | decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.tar.gz decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.zip | |
Implement CSRF protection
Diffstat (limited to 'backend/legacy')
| -rw-r--r-- | backend/legacy/library.js | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/backend/legacy/library.js b/backend/legacy/library.js index f9dfe699..17f4e46f 100644 --- a/backend/legacy/library.js +++ b/backend/legacy/library.js @@ -8,10 +8,13 @@ window.addEventListener("message", function(evt) { }, false); async function call_server_method(method_name, arg_object={}) { + const token = await fetch("http://127.0.0.1:1337/auth/token").then(r => r.text()); const response = await fetch(`http://127.0.0.1:1337/methods/${method_name}`, { method: 'POST', + credentials: "include", headers: { 'Content-Type': 'application/json', + Authentication: token }, body: JSON.stringify(arg_object), }); @@ -40,10 +43,13 @@ async function fetch_nocors(url, request={}) { async function call_plugin_method(method_name, arg_object={}) { if (plugin_name == undefined) throw new Error("Plugin methods can only be called from inside plugins (duh)"); + const token = await fetch("http://127.0.0.1:1337/auth/token").then(r => r.text()); const response = await fetch(`http://127.0.0.1:1337/plugins/${plugin_name}/methods/${method_name}`, { method: 'POST', + credentials: "include", headers: { - 'Content-Type': 'application/json', + 'Content-Type': 'application/json', + Authentication: token }, body: JSON.stringify({ args: arg_object, |