refactor origin check

author: Paul Duncan <pabs@pablotron.org> 2016-05-21 14:02:52 -0400
committer: Paul Duncan <pabs@pablotron.org> 2016-05-21 14:02:52 -0400
commit: 000a5915a143f52aa46f8838947e08b6b96e6bff (patch)
tree: 2846af468a7ede7ccd2ad77266a4997e5cf994eb /src
parent: 1640651d01fe5443f3a9c807303014f1cbb2ce43 (diff)
download: guff-000a5915a143f52aa46f8838947e08b6b96e6bff.tar.bz2
guff-000a5915a143f52aa46f8838947e08b6b96e6bff.zip
1 files changed, 15 insertions, 14 deletions
diff --git a/src/guff.cr b/src/guff.cr
index e123eff..2702d7e 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -452,6 +452,14 @@ module Guff
       def initialize(@context : Context)
         super()
       end
+
+      protected def valid_origin_headers?(headers : HTTP::Headers)
+        # FIXME: need to compare these against something rather than
+        # just making sure that they are there
+        %w{origin referer}.any? do |key|
+          headers[key]? && headers[key].size > 0
+        end
+      end
     end
 
     abstract class AuthenticatedHandler < Handler
@@ -506,7 +514,8 @@ module Guff
       def call(context : HTTP::Server::Context)
         req_path = context.request.path.not_nil!
 
-        if matching_request?(context.request.method, req_path)
+        if matching_request?(context.request.method, req_path) &&
+           valid_origin_headers?(context.request.headers)
           # get expanded path to file
           if abs_path = expand_path(req_path)
             # get file digest
@@ -601,7 +610,9 @@ module Guff
           when "POST"
             begin
               # check for valid origin or referer header
-              check_request_headers(context.request.headers)
+              unless valid_origin_headers?(context.request.headers)
+                raise "missing origin and referer headers"
+              end
 
               # create session
               session_id = @context.session.create({
@@ -678,17 +689,6 @@ module Guff
         # return user id
         user_id
       end
-
-      private def check_request_headers(headers : HTTP::Headers)
-        # FIXME: need to compare these against something rather than
-        # just making sure that they are there
-        raise "missing origin and referer headers" unless %w{
-          origin
-          referer
-        }.any? do |key|
-          headers[key]? && headers[key].size > 0
-        end
-      end
     end
 
     class LogoutPageHandler < Handler
@@ -696,7 +696,8 @@ module Guff
 
       def call(context : HTTP::Server::Context)
         if context.request.method == "GET" &&
-           PATH_RE.match(context.request.path.not_nil!)
+           PATH_RE.match(context.request.path.not_nil!) &&
+           valid_origin_headers?(context.request.headers)
           # delete session
           @context.session.delete
author	Paul Duncan <pabs@pablotron.org>	2016-05-21 14:02:52 -0400
committer	Paul Duncan <pabs@pablotron.org>	2016-05-21 14:02:52 -0400
commit	000a5915a143f52aa46f8838947e08b6b96e6bff (patch)
tree	2846af468a7ede7ccd2ad77266a4997e5cf994eb /src
parent	1640651d01fe5443f3a9c807303014f1cbb2ce43 (diff)
download	guff-000a5915a143f52aa46f8838947e08b6b96e6bff.tar.bz2 guff-000a5915a143f52aa46f8838947e08b6b96e6bff.zip