diff options
| author | Bobby <[email protected]> | 2022-03-21 04:48:28 -0400 |
|---|---|---|
| committer | Bobby <[email protected]> | 2022-03-21 04:48:28 -0400 |
| commit | ea6e14059d8904c83f16ef65dc30dfde70ca78d8 (patch) | |
| tree | c0630591e6f2f90f7bea4c976d5aef2079c16a51 | |
| parent | 1a55a855b5e448f2d27065e55ff8bf9900544db5 (diff) | |
| download | luciferreeves.github.io-ea6e14059d8904c83f16ef65dc30dfde70ca78d8.tar.xz luciferreeves.github.io-ea6e14059d8904c83f16ef65dc30dfde70ca78d8.zip | |
force check referer before api request
| -rw-r--r-- | public/views/createPost.html | 60 | ||||
| -rw-r--r-- | routes/blog.js | 194 | ||||
| -rw-r--r-- | server.js | 21 |
3 files changed, 117 insertions, 158 deletions
diff --git a/public/views/createPost.html b/public/views/createPost.html index 976c0e5..c205f20 100644 --- a/public/views/createPost.html +++ b/public/views/createPost.html @@ -129,65 +129,7 @@ <script defer src="https://cdn.jsdelivr.net/npm/[email protected]/dist/contrib/auto-render.min.js" integrity="sha384-+XBljXPPiv+OzfbB3cVmLHf4hdUFHlWNZN5spNQ7rmHTXpd7WvJum6fIACpNNfIR" crossorigin="anonymous"></script> - <script> - window.addEventListener("DOMContentLoaded", () => { - const content = document.getElementById('content'); - const renderPreview = document.getElementById('renderPreview'); - marked.setOptions({ - highlight: function (code) { - return hljs.highlightAuto(code).value; - } - }); - content.addEventListener('input', () => { - renderPreview.innerHTML = marked.parse(content.value); - renderMathInElement(renderPreview, { - // customised options - // • auto-render specific keys, e.g.: - delimiters: [ - { left: '$$', right: '$$', display: true }, - { left: '$', right: '$', display: false }, - { left: '\\(', right: '\\)', display: false }, - { left: '\\[', right: '\\]', display: true } - ], - // • rendering keys, e.g.: - throwOnError: false - }); - }); - }); - $(document).on('click', '#publishPost', () => { - document.getElementById('error').classList.add('hidden'); - const content = $('#content').val(); - const title = $('#title').val(); - const publishDate = $('#publishDate').val(); - const slug = title.toLowerCase().replace(/ /g, '-').replace(/[^\w-]+/g, ''); - const tags = $('#tags').val(); - if (title === '' || publishDate === '') { - document.getElementById('error').classList.remove('hidden'); - return; - } else { - // Publish post to api/blog/new - const body = { - title: title, - publishDate: publishDate, - tags: tags, - content: content, - shortText: marked.parse(content.substring(0, 120) + "..."), - slug: slug - }; - $.ajax({ - url: '/api/blog/new', - type: 'POST', - data: body, - success: (data) => { - window.location.href = '/admin/dashboard'; - }, - error: (err) => { - console.log(err); - } - }); - } - }); - </script> + <script src="/static/assets/js/pages/publish.js"></script> </body> </html>
\ No newline at end of file diff --git a/routes/blog.js b/routes/blog.js index 29dbb65..221aaf8 100644 --- a/routes/blog.js +++ b/routes/blog.js @@ -2,102 +2,132 @@ const firebase = require("../firebase"); const express = require("express"); const router = express.Router(); +function checkReferer(referer) { + const whitelist = ["localhost", "thatcomputerscientist"]; + if (!referer) return false; + const host = referer.split("/")[2]; + if (whitelist.some((substring) => host.includes(substring))) { + return true; + } else { + return false; + } +} + router.get("/posts", (req, res) => { - const store = firebase.firestore(); - const posts = []; - let query = store.collection("posts"); - query = query.select("slug", "tags", "title", "shortText", "publishDate"); - query - .get() - .then(function (querySnapshot) { - querySnapshot.forEach(function (doc) { - posts.push(doc.data()); + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const store = firebase.firestore(); + const posts = []; + let query = store.collection("posts"); + query = query.select("slug", "tags", "title", "shortText", "publishDate"); + query + .get() + .then(function (querySnapshot) { + querySnapshot.forEach(function (doc) { + posts.push(doc.data()); + }); + }) + .then(() => { + res.json(posts); }); - }) - .then(() => { - res.json(posts); - }); + } else { + res.status(403).send("Forbidden"); + } }); router.put("/update/:slug", (req, res) => { - const store = firebase.firestore(); - const { title, content, tags, publishDate, shortText, slug } = req.body; - const base64 = Buffer.from(content).toString("base64"); - const post = { - title, - content: base64, - tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], - publishDate, - shortText, - slug, - }; - let query = store.collection("posts"); - query = query.where("slug", "==", slug); - query - .get() - .then(function (querySnapshot) { - querySnapshot.forEach(function (doc) { - doc.ref.update({ - title: post.title, - content: post.content, - tags: post.tags, - publishDate: post.publishDate, + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const store = firebase.firestore(); + const { title, content, tags, publishDate, shortText, slug } = req.body; + const base64 = Buffer.from(content).toString("base64"); + const post = { + title, + content: base64, + tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], + publishDate, + shortText, + slug, + }; + let query = store.collection("posts"); + query = query.where("slug", "==", slug); + query + .get() + .then(function (querySnapshot) { + querySnapshot.forEach(function (doc) { + doc.ref.update({ + title: post.title, + content: post.content, + tags: post.tags, + publishDate: post.publishDate, + }); }); + }) + .then(() => { + res.json({ success: true }); + }) + .catch((err) => { + res.json({ success: false, err }); }); - }) - .then(() => { - res.json({ success: true }); - }) - .catch((err) => { - res.json({ success: false, err }); - }); + } else { + res.status(403).send("Forbidden"); + } }); router.delete("/delete/:slug", (req, res) => { - const store = firebase.firestore(); - let query = store.collection("posts"); - query = query.where("slug", "==", req.params.slug); - query - .get() - .then(function (querySnapshot) { - querySnapshot.forEach(function (doc) { - doc.ref.delete(); + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const store = firebase.firestore(); + let query = store.collection("posts"); + query = query.where("slug", "==", req.params.slug); + query + .get() + .then(function (querySnapshot) { + querySnapshot.forEach(function (doc) { + doc.ref.delete(); + }); + }) + .then(() => { + res.json({ success: true }); + }) + .catch((err) => { + res.json({ success: false, err }); }); - }) - .then(() => { - res.json({ success: true }); - }) - .catch((err) => { - res.json({ success: false, err }); - }); + } else { + res.status(403).send("Forbidden"); + } }); - router.post("/new", (req, res) => { - const { title, content, tags, publishDate, shortText, slug } = req.body; - const store = firebase.firestore(); - const id = store.collection("posts").doc().id; - // convert content to base64 - const base64 = Buffer.from(content).toString("base64"); - const post = { - id, - title, - content: base64, - tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], - publishDate, - shortText, - slug, - }; - let query = store.collection("posts"); - query - .doc(id) - .set(post) - .then(() => { - res.json({ success: true }); - }) - .catch((err) => { - res.json({ success: false, err }); - }); + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const { title, content, tags, publishDate, shortText, slug } = req.body; + const store = firebase.firestore(); + const id = store.collection("posts").doc().id; + // convert content to base64 + const base64 = Buffer.from(content).toString("base64"); + const post = { + id, + title, + content: base64, + tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], + publishDate, + shortText, + slug, + }; + let query = store.collection("posts"); + query + .doc(id) + .set(post) + .then(() => { + res.json({ success: true }); + }) + .catch((err) => { + res.json({ success: false, err }); + }); + } else { + res.status(403).send("Forbidden"); + } }); module.exports = router; @@ -2,16 +2,12 @@ const express = require("express"); const bodyParser = require("body-parser"); const cors = require("cors"); - // Import the routes const routes = require("./routes"); // Create the server const app = express(); -var allowedOrigins = [ - "http://localhost:3000", - "https://thatcomputerscientist.com", -]; + app.use(function (req, res, next) { if ( req.get("X-Forwarded-Proto") === "http" && @@ -32,18 +28,9 @@ app.use( extended: true, }) ); -app.use( - cors({ - origin: function (origin, callback) { - // Block everything except the allowed origins - if (allowedOrigins.indexOf(origin) !== -1) { - callback(null, true); - } else { - callback(new Error("Not allowed by CORS")); - } - }, - }) -); + +app.use(cors()); + app.use("/static", express.static(__dirname + "/static")); app.use(express.static(__dirname + "/public")); app.engine("html", require("ejs").renderFile); |