From 000a5915a143f52aa46f8838947e08b6b96e6bff Mon Sep 17 00:00:00 2001
From: Paul Duncan <pabs@pablotron.org>
Date: Sat, 21 May 2016 14:02:52 -0400
Subject: refactor origin check

---
 src/guff.cr | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

(limited to 'src/guff.cr')

diff --git a/src/guff.cr b/src/guff.cr
index e123eff..2702d7e 100644
--- a/src/guff.cr
+++ b/src/guff.cr
@@ -452,6 +452,14 @@ module Guff
       def initialize(@context : Context)
         super()
       end
+
+      protected def valid_origin_headers?(headers : HTTP::Headers)
+        # FIXME: need to compare these against something rather than
+        # just making sure that they are there
+        %w{origin referer}.any? do |key|
+          headers[key]? && headers[key].size > 0
+        end
+      end
     end
 
     abstract class AuthenticatedHandler < Handler
@@ -506,7 +514,8 @@ module Guff
       def call(context : HTTP::Server::Context)
         req_path = context.request.path.not_nil!
 
-        if matching_request?(context.request.method, req_path)
+        if matching_request?(context.request.method, req_path) &&
+           valid_origin_headers?(context.request.headers)
           # get expanded path to file
           if abs_path = expand_path(req_path)
             # get file digest
@@ -601,7 +610,9 @@ module Guff
           when "POST"
             begin
               # check for valid origin or referer header
-              check_request_headers(context.request.headers)
+              unless valid_origin_headers?(context.request.headers)
+                raise "missing origin and referer headers"
+              end
 
               # create session
               session_id = @context.session.create({
@@ -678,17 +689,6 @@ module Guff
         # return user id
         user_id
       end
-
-      private def check_request_headers(headers : HTTP::Headers)
-        # FIXME: need to compare these against something rather than
-        # just making sure that they are there
-        raise "missing origin and referer headers" unless %w{
-          origin
-          referer
-        }.any? do |key|
-          headers[key]? && headers[key].size > 0
-        end
-      end
     end
 
     class LogoutPageHandler < Handler
@@ -696,7 +696,8 @@ module Guff
 
       def call(context : HTTP::Server::Context)
         if context.request.method == "GET" &&
-           PATH_RE.match(context.request.path.not_nil!)
+           PATH_RE.match(context.request.path.not_nil!) &&
+           valid_origin_headers?(context.request.headers)
           # delete session
           @context.session.delete
 
-- 
cgit v1.2.3