0
0
mirror of https://github.com/neon-mmd/websurfx.git synced 2024-11-22 05:58:21 -05:00

🛠️ fix: add code to prevent csrf attacks using cors (#172)

This commit is contained in:
neon_arch 2023-08-03 17:44:13 +03:00
parent 5b4e7c75c0
commit bef8956da6
3 changed files with 30 additions and 1 deletions

16
Cargo.lock generated
View File

@ -19,6 +19,21 @@ dependencies = [
"tracing",
]
[[package]]
name = "actix-cors"
version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b340e9cfa5b08690aae90fb61beb44e9b06f44fe3d0f93781aaa58cfba86245e"
dependencies = [
"actix-utils",
"actix-web",
"derive_more",
"futures-util",
"log",
"once_cell",
"smallvec 1.11.0",
]
[[package]]
name = "actix-files"
version = "0.6.2"
@ -3520,6 +3535,7 @@ dependencies = [
name = "websurfx"
version = "0.15.3"
dependencies = [
"actix-cors",
"actix-files",
"actix-web",
"async-trait",

View File

@ -14,6 +14,7 @@ handlebars = { version = "4.3.6", features = ["dir_source"] }
scraper = {version="*"}
actix-web = {version="4.3.1", features = ["cookies"]}
actix-files = {version="0.6.2"}
actix-cors = {version="0.6.4"}
serde_json = {version="*"}
fake-useragent = {version="*"}
env_logger = {version="0.10.0"}

View File

@ -12,8 +12,9 @@ use std::net::TcpListener;
use crate::server::routes;
use actix_cors::Cors;
use actix_files as fs;
use actix_web::{dev::Server, middleware::Logger, web, App, HttpServer};
use actix_web::{dev::Server, http::header, middleware::Logger, web, App, HttpServer};
use config::parser::Config;
use handlebars::Handlebars;
use handler::public_paths::public_path;
@ -50,9 +51,20 @@ pub fn run(listener: TcpListener, config: Config) -> std::io::Result<Server> {
let handlebars_ref: web::Data<Handlebars> = web::Data::new(handlebars);
let server = HttpServer::new(move || {
let cors: Cors = Cors::default()
.allow_any_origin()
.allowed_methods(vec!["GET"])
.allowed_headers(vec![
header::ORIGIN,
header::CONTENT_TYPE,
header::REFERER,
header::COOKIE,
]);
App::new()
.app_data(handlebars_ref.clone())
.app_data(web::Data::new(config.clone()))
.wrap(cors)
.wrap(Logger::default()) // added logging middleware for logging.
// Serve images and static files (css and js files).
.service(