diff --git a/client/helpers/ajax.js b/client/helpers/ajax.js index 6c594616..b1754dc8 100644 --- a/client/helpers/ajax.js +++ b/client/helpers/ajax.js @@ -6,6 +6,7 @@ export function http_get(url, type = "json", params) { xhr.open("GET", url, true); xhr.withCredentials = true; xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest"); + if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`); xhr.onerror = function() { handle_error_response(xhr, err); }; @@ -51,6 +52,7 @@ export function http_post(url, data, type = "json", params) { xhr.open("POST", url, true); xhr.withCredentials = true; xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest"); + if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`); if (data && type === "json") { data = JSON.stringify(data); xhr.setRequestHeader("Content-Type", "application/json"); @@ -70,6 +72,10 @@ export function http_post(url, data, type = "json", params) { handle_error_response(xhr, err); return; } + + const bearerToken = xhr.getResponseHeader("bearer"); + if (bearerToken) window.BEARER_TOKEN = bearerToken; + try { const data = JSON.parse(xhr.responseText); if (data.status !== "ok") { @@ -98,6 +104,7 @@ export function http_delete(url) { xhr.open("DELETE", url, true); xhr.withCredentials = true; xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest"); + if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`); xhr.onerror = function() { handle_error_response(xhr, err); }; @@ -129,6 +136,7 @@ export function http_options(url) { xhr.open("OPTIONS", url, true); xhr.withCredentials = true; xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest"); + if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`); xhr.onerror = function() { handle_error_response(xhr, err); }; diff --git a/client/pages/logout.js b/client/pages/logout.js index 8cd12240..6d0ae33c 100644 --- a/client/pages/logout.js +++ b/client/pages/logout.js @@ -8,6 +8,7 @@ function LogoutPageComponent({ error, history }) { useEffect(() => { Session.logout().then((res) => { cache.destroy(); + delete window.BEARER_TOKEN; window.CONFIG["logout"] ? location.href = CONFIG["logout"] : history.push("/"); diff --git a/public/assets/lib/ajax.js b/public/assets/lib/ajax.js index 735a291a..ce7ced70 100644 --- a/public/assets/lib/ajax.js +++ b/public/assets/lib/ajax.js @@ -6,6 +6,7 @@ export default function(opts) { else if (typeof opts !== "object") throw new Error("unsupported call"); if (!opts.headers) opts.headers = {}; opts.headers["X-Requested-With"] = "XmlHttpRequest"; + if (window.BEARER_TOKEN) opts.headers["Authorization"] = `Bearer ${window.BEARER_TOKEN}`; return ajax({ withCredentials: true, ...opts, responseType: "text" }).pipe( rxjs.map((res) => { const result = res.xhr.responseText; diff --git a/public/assets/pages/connectpage/ctrl_form.js b/public/assets/pages/connectpage/ctrl_form.js index 4557caa2..1062f45d 100644 --- a/public/assets/pages/connectpage/ctrl_form.js +++ b/public/assets/pages/connectpage/ctrl_form.js @@ -198,7 +198,8 @@ export default async function(render) { return rxjs.of(null).pipe( rxjs.tap(() => toggleLoader(true)), rxjs.mergeMap(() => createSession(formData)), - rxjs.tap(({ responseJSON }) => { // TODO + rxjs.tap(({ responseJSON, responseHeaders }) => { + if (responseHeaders.bearer) window.BEARER_TOKEN = responseHeaders.bearer; // fix https://support.apple.com/en-au/guide/safari/sfri40732/mac let redirectURL = toHref("/files/"); const GET = getURLParams(); if (GET["next"]) redirectURL = GET["next"]; diff --git a/public/assets/pages/ctrl_logout.js b/public/assets/pages/ctrl_logout.js index be0d4888..8d71f5a2 100644 --- a/public/assets/pages/ctrl_logout.js +++ b/public/assets/pages/ctrl_logout.js @@ -12,7 +12,10 @@ export default function(render) { effect(deleteSession().pipe( rxjs.mergeMap(setup_config), - rxjs.tap(() => window.CONFIG["logout"] ? location.href = window.CONFIG["logout"] : navigate(toHref("/"))), + rxjs.tap(() => { + delete window.BEARER_TOKEN; + window.CONFIG["logout"] ? location.href = window.CONFIG["logout"] : navigate(toHref("/")) + }), rxjs.catchError(ctrlError(render)), )); } diff --git a/server/ctrl/session.go b/server/ctrl/session.go index f9505556..cc74333c 100644 --- a/server/ctrl/session.go +++ b/server/ctrl/session.go @@ -123,6 +123,9 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) { index++ } } + if Config.Get("features.protection.iframe").String() != "" { + res.Header().Set("bearer", obfuscate) + } if home != "" { SendSuccessResult(res, home) return diff --git a/server/routes.go b/server/routes.go index 5808d1b0..dc19c0ca 100644 --- a/server/routes.go +++ b/server/routes.go @@ -100,7 +100,6 @@ func Build(a App) *mux.Router { } else { // TODO: remove this after migration is done r.PathPrefix(WithBase("/assets")).Handler(http.HandlerFunc(NewMiddlewareChain(ServeFile("/"), middlewares, a))).Methods("GET") r.HandleFunc(WithBase("/favicon.ico"), NewMiddlewareChain(ServeFile("/assets/logo/"), middlewares, a)).Methods("GET") - r.HandleFunc(WithBase("/sw_cache.js"), NewMiddlewareChain(ServeFile("/assets/worker/"), middlewares, a)).Methods("GET") } // Other endpoints