Request a csrftoken before every request

public/src/js/account.js

@@ -397,38 +397,45 @@ class Account{
 	}
 	request(url, obj, get){
 		this.lock(true)
-		return new Promise((resolve, reject) => {
+		var doRequest = token => {
-			var request = new XMLHttpRequest()
+			return new Promise((resolve, reject) => {
-			request.open(get ? "GET" : "POST", "api/" + url)
+				var request = new XMLHttpRequest()
-			pageEvents.load(request).then(() => {
+				request.open(get ? "GET" : "POST", "api/" + url)
-				this.lock(false)
+				pageEvents.load(request).then(() => {
-				if(request.status !== 200){
+					this.lock(false)
+					if(request.status !== 200){
+						reject()
+						return
+					}
+					try{
+						var json = JSON.parse(request.response)
+					}catch(e){
+						reject()
+						return
+					}
+					if(json.status === "ok"){
+						resolve(json)
+					}else{
+						reject(json)
+					}
+				}, () => {
+					this.lock(false)
 					reject()
-					return
+				})
-				}
+				if(obj){
-				try{
+					request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
-					var json = JSON.parse(request.response)
+					request.setRequestHeader("X-CSRFToken", token)
-				}catch(e){
+					request.send(JSON.stringify(obj))
-					reject()
-					return
-				}
-				if(json.status === "ok"){
-					resolve(json)
 				}else{
-					reject(json)
+					request.send()
 				}
-			}, () => {
-				this.lock(false)
-				reject()
 			})
-			if(obj){
+		}
-				request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
+		if(get){
-				request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
+			return doRequest()
-				request.send(JSON.stringify(obj))
+		}else{
-			}else{
+			return loader.getCsrfToken().then(doRequest)
-				request.send()
+		}
-			}
-		})
 	}
 	lock(isLocked){
 		this.locked = isLocked

public/src/js/loader.js

@@ -396,6 +396,16 @@ class Loader{
 			request.send()
 		})
 	}
+	getCsrfToken(){
+		return this.ajax("api/csrftoken").then(response => {
+			var json = JSON.parse(response)
+			if(json.status === "ok"){
+				return Promise.resolve(json.token)
+			}else{
+				return Promise.reject()
+			}
+		})
+	}
 	clean(error){
 		var fontDetectDiv = document.getElementById("fontdetectHelper")
 		if(fontDetectDiv){

public/src/js/scorestorage.js

@@ -272,32 +272,35 @@ class ScoreStorage{
 	}
 	sendToServer(obj, retry){
 		if(account.loggedIn){
-			var request = new XMLHttpRequest()
+			return loader.getCsrfToken().then(token => {
-			request.open("POST", "api/scores/save")
+				var request = new XMLHttpRequest()
-			var promise = pageEvents.load(request).then(response => {
+				request.open("POST", "api/scores/save")
-				if(request.status !== 200){
+				var promise = pageEvents.load(request).then(response => {
-					return Promise.reject()
+					if(request.status !== 200){
-				}
+						return Promise.reject()
-			}).catch(() => {
+					}
-				if(retry){
+				}).catch(() => {
-					this.scoreSaveFailed = true
+					if(retry){
-					account.loggedIn = false
+						this.scoreSaveFailed = true
-					delete account.username
+						account.loggedIn = false
-					delete account.displayName
+						delete account.username
-					this.load()
+						delete account.displayName
-					pageEvents.send("logout")
+						this.load()
-					return Promise.reject()
+						pageEvents.send("logout")
-				}else{
+						return Promise.reject()
-					return new Promise(resolve => {
+					}else{
-						setTimeout(() => {
+						return new Promise(resolve => {
-							resolve()
+							setTimeout(() => {
-						}, 3000)
+								resolve()
-					}).then(() => this.sendToServer(obj, true))
+							}, 3000)
-				}
+						}).then(() => this.sendToServer(obj, true))
+					}
+				})
+				request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
+				request.setRequestHeader("X-CSRFToken", token)
+				request.send(JSON.stringify(obj))
+				return promise
 			})
-			request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
-			request.send(JSON.stringify(obj))
-			return promise
 		}else{
 			return Promise.resolve()
 		}