From f21d34506d0fd09d5849fcee552447cdfbf4802f Mon Sep 17 00:00:00 2001 From: AAGaming Date: Fri, 5 Aug 2022 21:16:29 -0400 Subject: Implement CSRF protection --- frontend/src/plugin-loader.tsx | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'frontend/src/plugin-loader.tsx') diff --git a/frontend/src/plugin-loader.tsx b/frontend/src/plugin-loader.tsx index 98cb3c06..29ca326f 100644 --- a/frontend/src/plugin-loader.tsx +++ b/frontend/src/plugin-loader.tsx @@ -75,6 +75,10 @@ class PluginLoader extends Logger { await fetch('http://localhost:1337/browser/uninstall_plugin', { method: 'POST', body: formData, + credentials: 'include', + headers: { + Authentication: window.deckyAuthToken, + }, }); }} onCancel={() => { @@ -144,7 +148,12 @@ class PluginLoader extends Logger { } private async importReactPlugin(name: string) { - let res = await fetch(`http://127.0.0.1:1337/plugins/${name}/frontend_bundle`); + let res = await fetch(`http://127.0.0.1:1337/plugins/${name}/frontend_bundle`, { + credentials: 'include', + headers: { + Authentication: window.deckyAuthToken, + }, + }); if (res.ok) { let plugin = await eval(await res.text())(this.createPluginAPI(name)); this.plugins.push({ @@ -166,8 +175,10 @@ class PluginLoader extends Logger { async callServerMethod(methodName: string, args = {}) { const response = await fetch(`http://127.0.0.1:1337/methods/${methodName}`, { method: 'POST', + credentials: 'include', headers: { 'Content-Type': 'application/json', + Authentication: window.deckyAuthToken, }, body: JSON.stringify(args), }); @@ -182,8 +193,10 @@ class PluginLoader extends Logger { async callPluginMethod(methodName: string, args = {}) { const response = await fetch(`http://127.0.0.1:1337/plugins/${pluginName}/methods/${methodName}`, { method: 'POST', + credentials: 'include', headers: { 'Content-Type': 'application/json', + Authentication: window.deckyAuthToken, }, body: JSON.stringify({ args, -- cgit v1.2.3