From 8bfddc7037ea6291dca5e2c62da0ce5d7d6863e7 Mon Sep 17 00:00:00 2001 From: Peter Deltchev Date: Wed, 11 Nov 2015 13:45:44 -0800 Subject: [PATCH] Fixes #10: Use the X-XSRF-TOKEN header globally for AJAX CSRF protection. --- app/Library/Assets.php | 2 ++ gulpfile.js | 2 ++ .../controllers/account-albums-edit.coffee | 4 +-- .../app/controllers/account-settings.coffee | 2 +- .../app/controllers/account-track.coffee | 4 +-- .../assets/scripts/app/services/auth.coffee | 5 ++-- .../scripts/app/services/comments.coffee | 2 +- .../scripts/app/services/favourites.coffee | 2 +- .../assets/scripts/app/services/follow.coffee | 2 +- .../scripts/app/services/playlists.coffee | 6 ++-- .../assets/scripts/app/services/upload.coffee | 2 +- .../assets/scripts/embed/favourite.coffee | 2 +- .../scripts/shared/jquery-extensions.js | 29 ++++++++++++++++++- resources/views/shared/_app_layout.blade.php | 1 - resources/views/tracks/embed.blade.php | 4 --- 15 files changed, 46 insertions(+), 23 deletions(-) diff --git a/app/Library/Assets.php b/app/Library/Assets.php index 80fac979..570bb6d6 100644 --- a/app/Library/Assets.php +++ b/app/Library/Assets.php @@ -101,11 +101,13 @@ class Assets if ($area == 'embed') { return [ "scripts/base/jquery-2.0.2.js", + "scripts/base/jquery.cookie.js", "scripts/base/jquery.viewport.js", "scripts/base/underscore.js", "scripts/base/moment.js", "scripts/base/jquery.timeago.js", "scripts/base/soundmanager2-nodebug.js", + "scripts/shared/jquery-extensions.js", "scripts/embed/*.coffee" ]; } diff --git a/gulpfile.js b/gulpfile.js index 5334d401..5ee540b5 100644 --- a/gulpfile.js +++ b/gulpfile.js @@ -106,11 +106,13 @@ gulp.task("scripts-embed", function () { var includedScripts = [ "resources/assets/scripts/base/jquery-2.0.2.js", + "resources/assets/scripts/base/jquery.cookie.js", "resources/assets/scripts/base/jquery.viewport.js", "resources/assets/scripts/base/underscore.js", "resources/assets/scripts/base/moment.js", "resources/assets/scripts/base/jquery.timeago.js", "resources/assets/scripts/base/soundmanager2-nodebug.js", + "resources/assets/scripts/shared/jquery-extensions.js", "resources/assets/scripts/embed/*.coffee" ]; diff --git a/resources/assets/scripts/app/controllers/account-albums-edit.coffee b/resources/assets/scripts/app/controllers/account-albums-edit.coffee index 57295dbf..3683f8b3 100644 --- a/resources/assets/scripts/app/controllers/account-albums-edit.coffee +++ b/resources/assets/scripts/app/controllers/account-albums-edit.coffee @@ -108,7 +108,7 @@ angular.module('ponyfm').controller "account-albums-edit", [ formData.append 'track_ids', _.map($scope.tracks, (t) -> t.id).join() xhr.open 'POST', url, true - xhr.setRequestHeader 'X-CSRF-Token', pfm.token + xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN') $scope.isSaving = true xhr.send formData @@ -117,7 +117,7 @@ angular.module('ponyfm').controller "account-albums-edit", [ {result: 'ok', label: 'Yes', cssClass: 'btn-danger'}, {result: 'cancel', label: 'No', cssClass: 'btn-primary'} ]).open().then (res) -> return if res == 'cancel' - $.post('/api/web/albums/delete/' + $scope.album.id, {_token: window.pfm.token}) + $.post('/api/web/albums/delete/' + $scope.album.id) .then -> $scope.$apply -> $scope.$emit 'album-deleted' $state.transitionTo 'account.albums' diff --git a/resources/assets/scripts/app/controllers/account-settings.coffee b/resources/assets/scripts/app/controllers/account-settings.coffee index 8b1056c7..117c71b0 100644 --- a/resources/assets/scripts/app/controllers/account-settings.coffee +++ b/resources/assets/scripts/app/controllers/account-settings.coffee @@ -67,7 +67,7 @@ angular.module('ponyfm').controller "account-settings", [ formData.append name, value xhr.open 'POST', '/api/web/account/settings/save', true - xhr.setRequestHeader 'X-CSRF-Token', pfm.token + xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN') $scope.isSaving = true xhr.send formData diff --git a/resources/assets/scripts/app/controllers/account-track.coffee b/resources/assets/scripts/app/controllers/account-track.coffee index 9aa26b51..b6b3c5f3 100644 --- a/resources/assets/scripts/app/controllers/account-track.coffee +++ b/resources/assets/scripts/app/controllers/account-track.coffee @@ -116,7 +116,7 @@ angular.module('ponyfm').controller "account-track", [ formData.append 'show_song_ids', _.map(_.values($scope.selectedSongs), (s) -> s.id).join() xhr.open 'POST', '/api/web/tracks/edit/' + $scope.edit.id, true - xhr.setRequestHeader 'X-CSRF-Token', pfm.token + xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN') $scope.isSaving = true xhr.send formData @@ -151,7 +151,7 @@ angular.module('ponyfm').controller "account-track", [ {result: 'ok', label: 'Yes', cssClass: 'btn-danger'}, {result: 'cancel', label: 'No', cssClass: 'btn-primary'} ]).open().then (res) -> return if res == 'cancel' - $.post('/api/web/tracks/delete/' + track.id, {_token: window.pfm.token}) + $.post('/api/web/tracks/delete/' + track.id) .then -> $scope.$apply -> $scope.$emit 'track-deleted' $state.transitionTo 'account.tracks' diff --git a/resources/assets/scripts/app/services/auth.coffee b/resources/assets/scripts/app/services/auth.coffee index 35d2b863..1b366cae 100644 --- a/resources/assets/scripts/app/services/auth.coffee +++ b/resources/assets/scripts/app/services/auth.coffee @@ -20,7 +20,7 @@ angular.module('ponyfm').factory('auth', [ data: {isLogged: window.pfm.auth.isLogged, user: window.pfm.auth.user} login: (email, password, remember) -> def = new $.Deferred() - $.post('/api/web/auth/login', {email: email, password: password, remember: remember, _token: pfm.token}) + $.post('/api/web/auth/login', {email: email, password: password, remember: remember}) .done -> $rootScope.$apply -> def.resolve() @@ -29,6 +29,5 @@ angular.module('ponyfm').factory('auth', [ def.promise() - logout: -> $.post('/api/web/auth/logout', {_token: pfm.token}) + logout: -> $.post('/api/web/auth/logout') ]) - diff --git a/resources/assets/scripts/app/services/comments.coffee b/resources/assets/scripts/app/services/comments.coffee index 3e4c31cb..34d944f9 100644 --- a/resources/assets/scripts/app/services/comments.coffee +++ b/resources/assets/scripts/app/services/comments.coffee @@ -24,7 +24,7 @@ angular.module('ponyfm').factory('comments', [ addComment: (resourceType, resourceId, content) -> commentDef = new $.Deferred() - $http.post('/api/web/comments/' + resourceType + '/' + resourceId, {content: content, _token: pfm.token}).success (comment) -> + $http.post('/api/web/comments/' + resourceType + '/' + resourceId, {content: content}).success (comment) -> commentDef.resolve comment commentDef.promise() diff --git a/resources/assets/scripts/app/services/favourites.coffee b/resources/assets/scripts/app/services/favourites.coffee index f9cd79b9..a5ca3471 100644 --- a/resources/assets/scripts/app/services/favourites.coffee +++ b/resources/assets/scripts/app/services/favourites.coffee @@ -24,7 +24,7 @@ angular.module('ponyfm').factory('favourites', [ self = toggle: (type, id) -> def = new $.Deferred() - $http.post('/api/web/favourites/toggle', {type: type, id: id, _token: pfm.token}).success (res) -> + $http.post('/api/web/favourites/toggle', {type: type, id: id}).success (res) -> def.resolve res def.promise() diff --git a/resources/assets/scripts/app/services/follow.coffee b/resources/assets/scripts/app/services/follow.coffee index 9e97eb0b..d26239d3 100644 --- a/resources/assets/scripts/app/services/follow.coffee +++ b/resources/assets/scripts/app/services/follow.coffee @@ -20,7 +20,7 @@ angular.module('ponyfm').factory('follow', [ self = toggle: (type, id) -> def = new $.Deferred() - $http.post('/api/web/follow/toggle', {type: type, id: id, _token: pfm.token}).success (res) -> + $http.post('/api/web/follow/toggle', {type: type, id: id}).success (res) -> def.resolve res def.promise() diff --git a/resources/assets/scripts/app/services/playlists.coffee b/resources/assets/scripts/app/services/playlists.coffee index 9b90ee2a..afbd14ab 100644 --- a/resources/assets/scripts/app/services/playlists.coffee +++ b/resources/assets/scripts/app/services/playlists.coffee @@ -63,7 +63,7 @@ angular.module('ponyfm').factory('playlists', [ addTrackToPlaylist: (playlistId, trackId) -> def = new $.Deferred() - $http.post('/api/web/playlists/' + playlistId + '/add-track', {track_id: trackId, _token: pfm.token}).success (res) -> + $http.post('/api/web/playlists/' + playlistId + '/add-track', {track_id: trackId}).success (res) -> def.resolve(res) def @@ -77,7 +77,7 @@ angular.module('ponyfm').factory('playlists', [ deletePlaylist: (playlist) -> def = new $.Deferred() - $.post('/api/web/playlists/delete/' + playlist.id, {_token: window.pfm.token}) + $.post('/api/web/playlists/delete/' + playlist.id) .then -> $rootScope.$apply -> if _.some(self.pinnedPlaylists, (p) -> p.id == playlist.id) currentIndex = _.indexOf(self.pinnedPlaylists, (t) -> t.id == playlist.id) @@ -92,7 +92,6 @@ angular.module('ponyfm').factory('playlists', [ editPlaylist: (playlist) -> def = new $.Deferred() - playlist._token = pfm.token $.post('/api/web/playlists/edit/' + playlist.id, playlist) .done (res) -> $rootScope.$apply -> @@ -125,7 +124,6 @@ angular.module('ponyfm').factory('playlists', [ createPlaylist: (playlist) -> def = new $.Deferred() - playlist._token = pfm.token $.post('/api/web/playlists/create', playlist) .done (res) -> $rootScope.$apply -> diff --git a/resources/assets/scripts/app/services/upload.coffee b/resources/assets/scripts/app/services/upload.coffee index b951ab93..4205ff1b 100644 --- a/resources/assets/scripts/app/services/upload.coffee +++ b/resources/assets/scripts/app/services/upload.coffee @@ -62,6 +62,6 @@ angular.module('ponyfm').factory('upload', [ formData.append('track', file); xhr.open 'POST', '/api/web/tracks/upload', true - xhr.setRequestHeader 'X-CSRF-Token', pfm.token + xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN') xhr.send formData ]) diff --git a/resources/assets/scripts/embed/favourite.coffee b/resources/assets/scripts/embed/favourite.coffee index 2a346a71..d649d459 100644 --- a/resources/assets/scripts/embed/favourite.coffee +++ b/resources/assets/scripts/embed/favourite.coffee @@ -21,7 +21,7 @@ trackId = $player.data 'track-id' $favourite.click (e) -> e.preventDefault() - $.post('/api/web/favourites/toggle', {type: 'track', id: trackId, _token: pfm.token}).done (res) -> + $.post('/api/web/favourites/toggle', {type: 'track', id: trackId}).done (res) -> if res.is_favourited $player.addClass 'favourited' else diff --git a/resources/assets/scripts/shared/jquery-extensions.js b/resources/assets/scripts/shared/jquery-extensions.js index 2c9d91b3..6e5a6b5e 100644 --- a/resources/assets/scripts/shared/jquery-extensions.js +++ b/resources/assets/scripts/shared/jquery-extensions.js @@ -1,3 +1,22 @@ +/** + * Pony.fm - A community for pony fan music. + * Copyright (C) 2015 Peter Deltchev + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + + if (jQuery.when.all===undefined) { jQuery.when.all = function(deferreds) { var deferred = new jQuery.Deferred(); @@ -11,4 +30,12 @@ if (jQuery.when.all===undefined) { return deferred; } -} \ No newline at end of file +} + + +// Include the CSRF token with all jQuery AJAX requests +jQuery.ajaxPrefilter(function(options, originalOptions, jqXHR) { + if (!options.crossDomain) { + jqXHR.setRequestHeader('X-XSRF-TOKEN', jQuery.cookie('XSRF-TOKEN')) + } +}); diff --git a/resources/views/shared/_app_layout.blade.php b/resources/views/shared/_app_layout.blade.php index 2f6ced70..cc621b86 100644 --- a/resources/views/shared/_app_layout.blade.php +++ b/resources/views/shared/_app_layout.blade.php @@ -128,7 +128,6 @@ @section('scripts') - {!! Assets::scriptIncludes('embed') !!} @if(config('ponyfm.google_analytics_id'))