From 2232c36182602d76cef85ea6df8ce2c087d304bb Mon Sep 17 00:00:00 2001 From: LoveEevee Date: Tue, 17 Mar 2020 07:20:03 +0300 Subject: [PATCH] Request a csrftoken before every request --- public/src/js/account.js | 63 +++++++++++++++++++---------------- public/src/js/loader.js | 10 ++++++ public/src/js/scorestorage.js | 53 +++++++++++++++-------------- 3 files changed, 73 insertions(+), 53 deletions(-) diff --git a/public/src/js/account.js b/public/src/js/account.js index d33ab05..b40bcc4 100644 --- a/public/src/js/account.js +++ b/public/src/js/account.js @@ -397,38 +397,45 @@ class Account{ } request(url, obj, get){ this.lock(true) - return new Promise((resolve, reject) => { - var request = new XMLHttpRequest() - request.open(get ? "GET" : "POST", "api/" + url) - pageEvents.load(request).then(() => { - this.lock(false) - if(request.status !== 200){ + var doRequest = token => { + return new Promise((resolve, reject) => { + var request = new XMLHttpRequest() + request.open(get ? "GET" : "POST", "api/" + url) + pageEvents.load(request).then(() => { + this.lock(false) + if(request.status !== 200){ + reject() + return + } + try{ + var json = JSON.parse(request.response) + }catch(e){ + reject() + return + } + if(json.status === "ok"){ + resolve(json) + }else{ + reject(json) + } + }, () => { + this.lock(false) reject() - return - } - try{ - var json = JSON.parse(request.response) - }catch(e){ - reject() - return - } - if(json.status === "ok"){ - resolve(json) + }) + if(obj){ + request.setRequestHeader("Content-Type", "application/json;charset=UTF-8") + request.setRequestHeader("X-CSRFToken", token) + request.send(JSON.stringify(obj)) }else{ - reject(json) + request.send() } - }, () => { - this.lock(false) - reject() }) - if(obj){ - request.setRequestHeader("Content-Type", "application/json;charset=UTF-8") - request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token) - request.send(JSON.stringify(obj)) - }else{ - request.send() - } - }) + } + if(get){ + return doRequest() + }else{ + return loader.getCsrfToken().then(doRequest) + } } lock(isLocked){ this.locked = isLocked diff --git a/public/src/js/loader.js b/public/src/js/loader.js index 2f62e19..fd98cfc 100644 --- a/public/src/js/loader.js +++ b/public/src/js/loader.js @@ -396,6 +396,16 @@ class Loader{ request.send() }) } + getCsrfToken(){ + return this.ajax("api/csrftoken").then(response => { + var json = JSON.parse(response) + if(json.status === "ok"){ + return Promise.resolve(json.token) + }else{ + return Promise.reject() + } + }) + } clean(error){ var fontDetectDiv = document.getElementById("fontdetectHelper") if(fontDetectDiv){ diff --git a/public/src/js/scorestorage.js b/public/src/js/scorestorage.js index 1bf8ed8..6d2b16c 100644 --- a/public/src/js/scorestorage.js +++ b/public/src/js/scorestorage.js @@ -272,32 +272,35 @@ class ScoreStorage{ } sendToServer(obj, retry){ if(account.loggedIn){ - var request = new XMLHttpRequest() - request.open("POST", "api/scores/save") - var promise = pageEvents.load(request).then(response => { - if(request.status !== 200){ - return Promise.reject() - } - }).catch(() => { - if(retry){ - this.scoreSaveFailed = true - account.loggedIn = false - delete account.username - delete account.displayName - this.load() - pageEvents.send("logout") - return Promise.reject() - }else{ - return new Promise(resolve => { - setTimeout(() => { - resolve() - }, 3000) - }).then(() => this.sendToServer(obj, true)) - } + return loader.getCsrfToken().then(token => { + var request = new XMLHttpRequest() + request.open("POST", "api/scores/save") + var promise = pageEvents.load(request).then(response => { + if(request.status !== 200){ + return Promise.reject() + } + }).catch(() => { + if(retry){ + this.scoreSaveFailed = true + account.loggedIn = false + delete account.username + delete account.displayName + this.load() + pageEvents.send("logout") + return Promise.reject() + }else{ + return new Promise(resolve => { + setTimeout(() => { + resolve() + }, 3000) + }).then(() => this.sendToServer(obj, true)) + } + }) + request.setRequestHeader("Content-Type", "application/json;charset=UTF-8") + request.setRequestHeader("X-CSRFToken", token) + request.send(JSON.stringify(obj)) + return promise }) - request.setRequestHeader("Content-Type", "application/json;charset=UTF-8") - request.send(JSON.stringify(obj)) - return promise }else{ return Promise.resolve() }