localhost_frssoft/bloat
1
0
Fork 0
mirror of https://gitea.phreedom.club/localhost_frssoft/bloat.git synced 2025-05-09 13:28:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into localhost_custom

Browse source
This commit is contained in:
localhost_frssoft 2023-11-06 12:07:24 +03:00
commit ab58d8a900
9 changed files with 46 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

9
service/client.go
View file

@ -33,9 +33,11 @@ func (c *client) setSession(sess *model.Session) error {
return err
}
http.SetCookie(c.w, &http.Cookie{
Name: "session",
Value: sb.String(),
Expires: time.Now().Add(365 * 24 * time.Hour),
Name: "session",
Path: "/",
HttpOnly: true,
Value: sb.String(),
Expires: time.Now().Add(365 * 24 * time.Hour),
})
return nil
}
@ -53,6 +55,7 @@ func (c *client) getSession() (sess *model.Session, err error) {
func (c *client) unsetSession() {
http.SetCookie(c.w, &http.Cookie{
Name: "session",
Path: "/",
Value: "",
Expires: time.Now(),
})

36
service/service.go
View file

@ -1,6 +1,8 @@
package service
import (
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"mime/multipart"
@ -936,10 +938,6 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
instanceURL = "https://" + instance
}
sid, err := util.NewSessionID()
if err != nil {
return
}
csrf, err := util.NewCSRFToken()
if err != nil {
return
@ -955,28 +953,14 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
if err != nil {
return
}
rurl = app.AuthURI
sess = &model.Session{
ID: sid,
Instance: instance,
ClientID: app.ClientID,
ClientSecret: app.ClientSecret,
CSRFToken: csrf,
Settings: *model.NewSettings(),
}
u, err := url.Parse("/oauth/authorize")
if err != nil {
return
}
q := make(url.Values)
q.Set("scope", "read write follow")
q.Set("client_id", app.ClientID)
q.Set("response_type", "code")
q.Set("redirect_uri", s.cwebsite+"/oauth_callback")
u.RawQuery = q.Encode()
rurl = instanceURL + u.String()
return
}
@ -1213,8 +1197,18 @@ func (s *service) SaveSettings(c *client, settings *model.Settings) (err error)
default:
return errInvalidArgument
}
if len(settings.CSS) > 1<<20 {
return errInvalidArgument
if len(settings.CSS) > 0 {
if len(settings.CSS) > 1<<20 {
return errInvalidArgument
}
// For some reason, browsers convert CRLF to LF before calculating
// the hash of the inline resources.
settings.CSS = strings.Replace(settings.CSS, "\x0d\x0a", "\x0a", -1)
h := sha256.Sum256([]byte(settings.CSS))
settings.CSSHash = base64.StdEncoding.EncodeToString(h[:])
} else {
settings.CSSHash = ""
}
c.s.Settings = *settings
return c.setSession(c.s)

24
service/transport.go
View file

@ -26,6 +26,15 @@ const (
CSRF
)
const csp = "default-src 'none';" +
" img-src *;" +
" media-src *;" +
" font-src *;" +
" child-src *;" +
" connect-src 'self';" +
" script-src 'self';" +
" style-src 'self'"
func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
r := mux.NewRouter()
@ -58,14 +67,14 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
}(time.Now())
}
var ct string
h := c.w.Header()
switch rt {
case HTML:
ct = "text/html; charset=utf-8"
h.Set("Content-Type", "text/html; charset=utf-8")
h.Set("Content-Security-Policy", csp)
case JSON:
ct = "application/json"
h.Set("Content-Type", "application/json")
}
c.w.Header().Add("Content-Type", ct)
err = c.authenticate(at, s.instance)
if err != nil {
@ -73,6 +82,13 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
return
}
// Override the CSP header to allow custom CSS
if rt == HTML && len(c.s.Settings.CSS) > 0 &&
len(c.s.Settings.CSSHash) > 0 {
v := fmt.Sprintf("%s 'sha256-%s'", csp, c.s.Settings.CSSHash)
h.Set("Content-Security-Policy", v)
}
err = f(c)
if err != nil {
writeError(c, err, rt, req.Method == http.MethodGet)