From 253bbcde173b1bef6a40bb0d2739435e66eaac3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0=20=D0=9F=D0=BE=D0=B7?= =?UTF-8?q?=D0=B4=D0=BD=D1=8F=D0=BA=D0=BE=D0=B2?= Date: Tue, 6 Sep 2022 19:11:11 +0300 Subject: [PATCH] Add get_csrf method; Fix some errors --- apps/block_scout_web/lib/block_scout_web/api_router.ex | 2 ++ .../controllers/account/api/v1/user_controller.ex | 9 +++++++++ .../controllers/account/auth_controller.ex | 8 ++++++++ .../block_scout_web/views/account/api/v1/user_view.ex | 4 ++++ .../lib/block_scout_web/views/error_view.ex | 8 ++++++++ 5 files changed, 31 insertions(+) diff --git a/apps/block_scout_web/lib/block_scout_web/api_router.ex b/apps/block_scout_web/lib/block_scout_web/api_router.ex index 8fea1a1db0..0471b66f9b 100644 --- a/apps/block_scout_web/lib/block_scout_web/api_router.ex +++ b/apps/block_scout_web/lib/block_scout_web/api_router.ex @@ -29,6 +29,8 @@ defmodule BlockScoutWeb.ApiRouter do pipe_through(:api) pipe_through(:account_api) + get("/get_csrf", UserController, :get_csrf) + scope "/user" do get("/info", UserController, :info) diff --git a/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex b/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex index e94248695e..7ca5514a36 100644 --- a/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex +++ b/apps/block_scout_web/lib/block_scout_web/controllers/account/api/v1/user_controller.ex @@ -10,6 +10,7 @@ defmodule BlockScoutWeb.Account.Api.V1.UserController do alias Explorer.Account.{Identity, PublicTagsRequest, TagAddress, TagTransaction, WatchlistAddress} alias Explorer.ExchangeRates.Token alias Explorer.{Market, Repo} + alias Plug.CSRFProtection action_fallback(BlockScoutWeb.Account.Api.V1.FallbackController) @@ -454,6 +455,14 @@ defmodule BlockScoutWeb.Account.Api.V1.UserController do end end + def get_csrf(conn, _) do + with {:auth, %{id: _}} <- {:auth, current_user(conn)} do + conn + |> put_status(200) + |> render(:csrf, %{csrf: CSRFProtection.get_csrf_token()}) + end + end + defp reject_nil_map_values(map) when is_map(map) do Map.reject(map, fn {_k, v} -> is_nil(v) end) end diff --git a/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex b/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex index 108ede6f6f..73a78d9194 100644 --- a/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex +++ b/apps/block_scout_web/lib/block_scout_web/controllers/account/auth_controller.ex @@ -5,6 +5,10 @@ defmodule BlockScoutWeb.Account.AuthController do plug(Ueberauth) + def request(conn, _) do + not_found(conn) + end + def logout(conn, _params) do conn |> configure_session(drop: true) @@ -40,6 +44,10 @@ defmodule BlockScoutWeb.Account.AuthController do end end + def callback(conn, _) do + not_found(conn) + end + # for importing in other controllers def authenticate!(conn) do current_user(conn) || redirect(conn, to: root()) diff --git a/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex b/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex index 91299034a1..171c647b83 100644 --- a/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex +++ b/apps/block_scout_web/lib/block_scout_web/views/account/api/v1/user_view.ex @@ -6,6 +6,10 @@ defmodule BlockScoutWeb.Account.Api.V1.UserView do AccountView.render("message.json", assigns) end + def render("csrf.json", %{csrf: csrf}) do + %{"token" => csrf} + end + def render("user_info.json", %{identity: identity}) do %{"name" => identity.name, "email" => identity.email, "avatar" => identity.avatar, "nickname" => identity.nickname} end diff --git a/apps/block_scout_web/lib/block_scout_web/views/error_view.ex b/apps/block_scout_web/lib/block_scout_web/views/error_view.ex index a73af1a7de..090159d946 100644 --- a/apps/block_scout_web/lib/block_scout_web/views/error_view.ex +++ b/apps/block_scout_web/lib/block_scout_web/views/error_view.ex @@ -10,6 +10,14 @@ defmodule BlockScoutWeb.ErrorView do "Bad request" end + def render("401." <> _type, _assigns) do + "Unauthorized" + end + + def render("403." <> _type, _assigns) do + "Forbidden" + end + def render("422." <> _type, _assigns) do "Unprocessable entity" end