🛠️ fix: add code to prevent csrf attacks using cors (#172)

2024-11-21 21:48:21 -05:00 · 2023-08-03 17:44:13 +03:00 · 2023-08-03 17:44:13 +03:00 · bef8956da6
commit bef8956da6
parent 5b4e7c75c0
3 changed files with 30 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -19,6 +19,21 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "actix-cors"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b340e9cfa5b08690aae90fb61beb44e9b06f44fe3d0f93781aaa58cfba86245e"
+dependencies = [
+ "actix-utils",
+ "actix-web",
+ "derive_more",
+ "futures-util",
+ "log",
+ "once_cell",
+ "smallvec 1.11.0",
+]
+
 [[package]]
 name = "actix-files"
 version = "0.6.2"
@ -3520,6 +3535,7 @@ dependencies = [
 name = "websurfx"
 version = "0.15.3"
 dependencies = [
+ "actix-cors",
 "actix-files",
 "actix-web",
 "async-trait",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -14,6 +14,7 @@ handlebars = { version = "4.3.6", features = ["dir_source"] }
 scraper = {version="*"}
 actix-web = {version="4.3.1", features = ["cookies"]}
 actix-files = {version="0.6.2"}
+actix-cors = {version="0.6.4"}
 serde_json = {version="*"}
 fake-useragent = {version="*"}
 env_logger = {version="0.10.0"}
--- a/src/lib.rs
+++ b/src/lib.rs
@ -12,8 +12,9 @@ use std::net::TcpListener;

 use crate::server::routes;

+use actix_cors::Cors;
 use actix_files as fs;
-use actix_web::{dev::Server, middleware::Logger, web, App, HttpServer};
+use actix_web::{dev::Server, http::header, middleware::Logger, web, App, HttpServer};
 use config::parser::Config;
 use handlebars::Handlebars;
 use handler::public_paths::public_path;
@ -50,9 +51,20 @@ pub fn run(listener: TcpListener, config: Config) -> std::io::Result<Server> {
    let handlebars_ref: web::Data<Handlebars> = web::Data::new(handlebars);

    let server = HttpServer::new(move || {
+        let cors: Cors = Cors::default()
+            .allow_any_origin()
+            .allowed_methods(vec!["GET"])
+            .allowed_headers(vec![
+                header::ORIGIN,
+                header::CONTENT_TYPE,
+                header::REFERER,
+                header::COOKIE,
+            ]);
+
        App::new()
            .app_data(handlebars_ref.clone())
            .app_data(web::Data::new(config.clone()))
+            .wrap(cors)
            .wrap(Logger::default()) // added logging middleware for logging.
            // Serve images and static files (css and js files).
            .service(