diff --git a/apps/block_scout_web/lib/block_scout_web/api_router.ex b/apps/block_scout_web/lib/block_scout_web/api_router.ex index 8fea1a1db0..0471b66f9b 100644 --- a/apps/block_scout_web/lib/block_scout_web/api_router.ex +++ b/apps/block_scout_web/lib/block_scout_web/api_router.ex @@ -29,6 +29,8 @@ defmodule BlockScoutWeb.ApiRouter do pipe_through(:api) pipe_through(:account_api) + get("/get_csrf", UserController, :get_csrf) + scope "/user" do get("/info", UserController, :info) diff --git a/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex b/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex index e94248695e..7ca5514a36 100644 --- a/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex +++ b/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex @@ -10,6 +10,7 @@ defmodule BlockScoutWeb.Account.Api.V1.UserController do alias Explorer.Account.{Identity, PublicTagsRequest, TagAddress, TagTransaction, WatchlistAddress} alias Explorer.ExchangeRates.Token alias Explorer.{Market, Repo} + alias Plug.CSRFProtection action_fallback(BlockScoutWeb.Account.Api.V1.FallbackController) @@ -454,6 +455,14 @@ defmodule BlockScoutWeb.Account.Api.V1.UserController do end end + def get_csrf(conn, _) do + with {:auth, %{id: _}} <- {:auth, current_user(conn)} do + conn + |> put_status(200) + |> render(:csrf, %{csrf: CSRFProtection.get_csrf_token()}) + end + end + defp reject_nil_map_values(map) when is_map(map) do Map.reject(map, fn {_k, v} -> is_nil(v) end) end diff --git a/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex b/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex index 108ede6f6f..73a78d9194 100644 --- a/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex +++ b/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex @@ -5,6 +5,10 @@ defmodule BlockScoutWeb.Account.AuthController do plug(Ueberauth) + def request(conn, _) do + not_found(conn) + end + def logout(conn, _params) do conn |> configure_session(drop: true) @@ -40,6 +44,10 @@ defmodule BlockScoutWeb.Account.AuthController do end end + def callback(conn, _) do + not_found(conn) + end + # for importing in other controllers def authenticate!(conn) do current_user(conn) || redirect(conn, to: root()) diff --git a/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex b/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex index 91299034a1..171c647b83 100644 --- a/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex +++ b/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex @@ -6,6 +6,10 @@ defmodule BlockScoutWeb.Account.Api.V1.UserView do AccountView.render("message.json", assigns) end + def render("csrf.json", %{csrf: csrf}) do + %{"token" => csrf} + end + def render("user_info.json", %{identity: identity}) do %{"name" => identity.name, "email" => identity.email, "avatar" => identity.avatar, "nickname" => identity.nickname} end diff --git a/apps/block_scout_web/lib/block_scout_web/views/error_view.ex b/apps/block_scout_web/lib/block_scout_web/views/error_view.ex index a73af1a7de..090159d946 100644 --- a/apps/block_scout_web/lib/block_scout_web/views/error_view.ex +++ b/apps/block_scout_web/lib/block_scout_web/views/error_view.ex @@ -10,6 +10,14 @@ defmodule BlockScoutWeb.ErrorView do "Bad request" end + def render("401." <> _type, _assigns) do + "Unauthorized" + end + + def render("403." <> _type, _assigns) do + "Forbidden" + end + def render("422." <> _type, _assigns) do "Unprocessable entity" end