aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/guff.cr14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/guff.cr b/src/guff.cr
index a2e2da5..f25e1c3 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -596,6 +596,9 @@ module Guff
reply(context.response)
when "POST"
begin
+ # check for valid origin or referer header
+ check_request_headers(context.request.headers)
+
# create session
session_id = @context.session.create({
"user_id": login(context.request.body),
@@ -671,6 +674,17 @@ module Guff
# return user id
user_id
end
+
+ private def check_request_headers(headers : HTTP::Headers)
+ # FIXME: need to compare these against something rather than
+ # just making sure that they are there
+ raise "missing origin and referer headers" unless %w{
+ origin
+ referer
+ }.any? do |key|
+ headers[key]? && headers[key].size > 0
+ end
+ end
end
class LogoutPageHandler < Handler