Allow "GET" API calls and "Restart Station" button.

2021-08-27 19:30:26 -05:00 · 2021-08-27 19:30:26 -05:00 · 888e110c5d
parent 5a2f1a42e5
commit 888e110c5d
3 changed files with 17 additions and 6 deletions
--- a/src/Middleware/Auth/ApiAuth.php
+++ b/src/Middleware/Auth/ApiAuth.php
@ -51,11 +51,6 @@ class ApiAuth extends AbstractAuth
        }

        // Fallback to session login if available.
-        $csrfKey = $request->getHeaderLine('X-API-CSRF');
-        if (empty($csrfKey) && !$this->environment->isTesting()) {
-            return null;
-        }
-
        $auth = new Auth(
            userRepo:    $this->userRepo,
            session:     $request->getAttribute(ServerRequest::ATTR_SESSION),
@ -63,12 +58,22 @@ class ApiAuth extends AbstractAuth
        );

        if ($auth->isLoggedIn()) {
+            $user = $auth->getLoggedInUser();
+            if ('GET' === $request->getMethod()) {
+                return $user;
+            }
+
+            $csrfKey = $request->getHeaderLine('X-API-CSRF');
+            if (empty($csrfKey) && !$this->environment->isTesting()) {
+                return null;
+            }
+
            $csrf = $request->getAttribute(ServerRequest::ATTR_SESSION_CSRF);

            if ($csrf instanceof Csrf) {
                try {
                    $csrf->verify($csrfKey, self::API_CSRF_NAMESPACE);
-                    return $auth->getLoggedInUser();
+                    return $user;
                } catch (CsrfValidationException) {
                }
            }
--- a/src/View.php
+++ b/src/View.php
@ -127,6 +127,7 @@ class View extends Engine
                    'auth' => $request->getAttribute(ServerRequest::ATTR_AUTH),
                    'acl' => $request->getAttribute(ServerRequest::ATTR_ACL),
                    'customization' => $request->getAttribute(ServerRequest::ATTR_CUSTOMIZATION),
+                    'csrf' => $request->getAttribute(ServerRequest::ATTR_SESSION_CSRF),
                    'flash' => $request->getAttribute(ServerRequest::ATTR_SESSION_FLASH),
                    'user' => $request->getAttribute(ServerRequest::ATTR_USER),
                ]
--- a/templates/stations/sidebar.js.phtml
+++ b/templates/stations/sidebar.js.phtml
@ -24,6 +24,11 @@ $(function () {

                $.ajax({
                    type: 'POST',
+                    headers: {
+                        "X-API-CSRF": <?=$this->escapeJs(
+                            $csrf->generate(\App\Middleware\Auth\ApiAuth::API_CSRF_NAMESPACE)
+                        ) ?>
+                    },
                    url: btn.attr('href'),
                    success: function (data) {
                        // Only restart if the user isn't on a form page