diff options
| author | AAGaming <aa@mail.catvibers.me> | 2022-08-05 21:16:29 -0400 |
|---|---|---|
| committer | AAGaming <aa@mail.catvibers.me> | 2022-08-05 21:16:29 -0400 |
| commit | f21d34506d0fd09d5849fcee552447cdfbf4802f (patch) | |
| tree | fa7475021d12d54f5edb74489b9ecf81a16bd639 /backend/main.py | |
| parent | ab6ec981604a32611d972ede634abe7ccd19b0d2 (diff) | |
| download | decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.tar.gz decky-loader-f21d34506d0fd09d5849fcee552447cdfbf4802f.zip | |
Implement CSRF protection
Diffstat (limited to 'backend/main.py')
| -rw-r--r-- | backend/main.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/backend/main.py b/backend/main.py index b52180ab..02cc0d56 100644 --- a/backend/main.py +++ b/backend/main.py @@ -20,12 +20,13 @@ from os import path from subprocess import call import aiohttp_cors -from aiohttp.web import Application, run_app, static +from aiohttp.web import Application, run_app, static, get, Response from aiohttp_jinja2 import setup as jinja_setup from browser import PluginBrowser from injector import inject_to_tab, tab_has_global_var from loader import Loader +from helpers import csrf_middleware, get_csrf_token from utilities import Utilities from updater import Updater @@ -41,9 +42,10 @@ class PluginManager: def __init__(self) -> None: self.loop = get_event_loop() self.web_app = Application() + self.web_app.middlewares.append(csrf_middleware) self.cors = aiohttp_cors.setup(self.web_app, defaults={ "https://steamloopback.host": aiohttp_cors.ResourceOptions(expose_headers="*", - allow_headers="*") + allow_headers="*", allow_credentials=True) }) self.plugin_loader = Loader(self.web_app, CONFIG["plugin_path"], self.loop, CONFIG["live_reload"]) self.plugin_browser = PluginBrowser(CONFIG["plugin_path"], self.web_app, self.plugin_loader.plugins) @@ -57,6 +59,8 @@ class PluginManager: self.loop.create_task(self.loader_reinjector()) self.loop.create_task(self.load_plugins()) self.loop.set_exception_handler(self.exception_handler) + self.web_app.add_routes([get("/auth/token", self.get_auth_token)]) + for route in list(self.web_app.router.routes()): self.cors.add(route) self.web_app.add_routes([static("/static", path.join(path.dirname(__file__), 'static'))]) @@ -67,6 +71,9 @@ class PluginManager: return loop.default_exception_handler(context) + async def get_auth_token(self, request): + return Response(text=get_csrf_token()) + async def wait_for_server(self): async with ClientSession() as web: while True: |