From f21d34506d0fd09d5849fcee552447cdfbf4802f Mon Sep 17 00:00:00 2001
From: AAGaming <aa@mail.catvibers.me>
Date: Fri, 5 Aug 2022 21:16:29 -0400
Subject: Implement CSRF protection

---
 backend/helpers.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'backend/helpers.py')

diff --git a/backend/helpers.py b/backend/helpers.py
index a75f1075..e8c2ce5b 100644
--- a/backend/helpers.py
+++ b/backend/helpers.py
@@ -1,7 +1,20 @@
+from aiohttp.web import middleware, Response
 import ssl
 import certifi
+import uuid
 
 ssl_ctx = ssl.create_default_context(cafile=certifi.where())
 
+csrf_token = str(uuid.uuid4())
+
 def get_ssl_context():
-    return ssl_ctx
\ No newline at end of file
+    return ssl_ctx
+
+def get_csrf_token():
+    return csrf_token
+
+@middleware
+async def csrf_middleware(request, handler):
+    if str(request.method) == "OPTIONS" or request.headers.get('Authentication') == csrf_token or str(request.rel_url) == "/auth/token" or str(request.rel_url).startswith("/plugins/load_main/") or str(request.rel_url).startswith("/static/") or str(request.rel_url).startswith("/legacy/") or str(request.rel_url).startswith("/steam_resource/"):
+        return await handler(request)
+    return Response(text='Forbidden', status='403')
\ No newline at end of file
-- 
cgit v1.2.3