add origin/referer check

author: Paul Duncan <pabs@pablotron.org> 2016-05-21 13:35:31 -0400
committer: Paul Duncan <pabs@pablotron.org> 2016-05-21 13:35:31 -0400
commit: 3eb07fcdf2a227009faa11eddf96fe63952533c6 (patch)
tree: 463005a5e84b5dcefa3231a5199574363919ea3b /src
parent: b49749b64c9c82546150f89de5ec41259fccebdc (diff)
download: guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.tar.bz2
guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/src/guff.cr b/src/guff.cr
index a2e2da5..f25e1c3 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -596,6 +596,9 @@ module Guff
             reply(context.response)
           when "POST"
             begin
+              # check for valid origin or referer header
+              check_request_headers(context.request.headers)
+
               # create session
               session_id = @context.session.create({
                 "user_id": login(context.request.body),
@@ -671,6 +674,17 @@ module Guff
         # return user id
         user_id
       end
+
+      private def check_request_headers(headers : HTTP::Headers)
+        # FIXME: need to compare these against something rather than
+        # just making sure that they are there
+        raise "missing origin and referer headers" unless %w{
+          origin
+          referer
+        }.any? do |key|
+          headers[key]? && headers[key].size > 0
+        end
+      end
     end
 
     class LogoutPageHandler < Handler
author	Paul Duncan <pabs@pablotron.org>	2016-05-21 13:35:31 -0400
committer	Paul Duncan <pabs@pablotron.org>	2016-05-21 13:35:31 -0400
commit	3eb07fcdf2a227009faa11eddf96fe63952533c6 (patch)
tree	463005a5e84b5dcefa3231a5199574363919ea3b /src
parent	b49749b64c9c82546150f89de5ec41259fccebdc (diff)
download	guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.tar.bz2 guff-3eb07fcdf2a227009faa11eddf96fe63952533c6.zip