Add get_csrf method; Fix some errors

2 years ago · 253bbcde17
parent ba2754e4d6
commit 253bbcde17
5 changed files with 31 additions and 0 deletions
--- a/apps/block_scout_web/lib/block_scout_web/api_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/api_router.ex
@ -29,6 +29,8 @@ defmodule BlockScoutWeb.ApiRouter do
    pipe_through(:api)
    pipe_through(:account_api)

+    get("/get_csrf", UserController, :get_csrf)
+
    scope "/user" do
      get("/info", UserController, :info)

--- a/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex
+++ b/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex
@ -10,6 +10,7 @@ defmodule BlockScoutWeb.Account.Api.V1.UserController do
  alias Explorer.Account.{Identity, PublicTagsRequest, TagAddress, TagTransaction, WatchlistAddress}
  alias Explorer.ExchangeRates.Token
  alias Explorer.{Market, Repo}
+  alias Plug.CSRFProtection

  action_fallback(BlockScoutWeb.Account.Api.V1.FallbackController)

@ -454,6 +455,14 @@ defmodule BlockScoutWeb.Account.Api.V1.UserController do
    end
  end

+  def get_csrf(conn, _) do
+    with {:auth, %{id: _}} <- {:auth, current_user(conn)} do
+      conn
+      |> put_status(200)
+      |> render(:csrf, %{csrf: CSRFProtection.get_csrf_token()})
+    end
+  end
+
  defp reject_nil_map_values(map) when is_map(map) do
    Map.reject(map, fn {_k, v} -> is_nil(v) end)
  end
--- a/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex
+++ b/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex
@ -5,6 +5,10 @@ defmodule BlockScoutWeb.Account.AuthController do

  plug(Ueberauth)

+  def request(conn, _) do
+    not_found(conn)
+  end
+
  def logout(conn, _params) do
    conn
    |> configure_session(drop: true)
@ -40,6 +44,10 @@ defmodule BlockScoutWeb.Account.AuthController do
    end
  end

+  def callback(conn, _) do
+    not_found(conn)
+  end
+
  # for importing in other controllers
  def authenticate!(conn) do
    current_user(conn) || redirect(conn, to: root())
--- a/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex
+++ b/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex
@ -6,6 +6,10 @@ defmodule BlockScoutWeb.Account.Api.V1.UserView do
    AccountView.render("message.json", assigns)
  end

+  def render("csrf.json", %{csrf: csrf}) do
+    %{"token" => csrf}
+  end
+
  def render("user_info.json", %{identity: identity}) do
    %{"name" => identity.name, "email" => identity.email, "avatar" => identity.avatar, "nickname" => identity.nickname}
  end
--- a/apps/block_scout_web/lib/block_scout_web/views/error_view.ex
+++ b/apps/block_scout_web/lib/block_scout_web/views/error_view.ex
@ -10,6 +10,14 @@ defmodule BlockScoutWeb.ErrorView do
    "Bad request"
  end

+  def render("401." <> _type, _assigns) do
+    "Unauthorized"
+  end
+
+  def render("403." <> _type, _assigns) do
+    "Forbidden"
+  end
+
  def render("422." <> _type, _assigns) do
    "Unprocessable entity"
  end