Remove csrf check by using jwt instead

LibrePhotos · May 20, 2023 · f0648fb · f0648fb
1 parent 6bd8844
commit f0648fb
Showing 1 changed file with 24 additions and 5 deletions.
diff --git a/api/views/upload.py b/api/views/upload.py
@@ -6,9 +6,14 @@
 from chunked_upload.models import ChunkedUpload
 from chunked_upload.views import ChunkedUploadCompleteView, ChunkedUploadView
 from django.core.files.base import ContentFile
+from django.http import HttpResponseForbidden
 from django.shortcuts import get_object_or_404
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_exempt
 from rest_framework import viewsets
 from rest_framework.response import Response
+from rest_framework_simplejwt.exceptions import TokenError
+from rest_framework_simplejwt.tokens import AccessToken
 
 import api.util as util
 from api.models import Photo, User
@@ -24,13 +29,20 @@ def retrieve(self, request, pk):
             return Response({"exists": False})
 
 
+@method_decorator(csrf_exempt, name="dispatch")
 class UploadPhotosChunked(ChunkedUploadView):
-
     model = ChunkedUpload
 
     def check_permissions(self, request):
+        jwt = request.COOKIES.get("jwt")
+        if jwt is not None:
+            try:
+                AccessToken(jwt)
+            except TokenError:
+                return HttpResponseForbidden()
+        else:
+            return HttpResponseForbidden()
         # To-Do: make deactivatable
-        # To-Do: Maybe check jwt token here?
         # To-Do: Check if file is allowed type
         user = User.objects.filter(id=request.POST.get("user")).first()
         if not user or not user.is_authenticated:
@@ -50,12 +62,20 @@ def create_chunked_upload(self, save=False, **attrs):
         return chunked_upload
 
 
+@method_decorator(csrf_exempt, name="dispatch")
 class UploadPhotosChunkedComplete(ChunkedUploadCompleteView):
-
     model = ChunkedUpload
 
     def check_permissions(self, request):
-        # To-Do: Maybe check jwt token here?
+        jwt = request.COOKIES.get("jwt")
+        if jwt is not None:
+            try:
+                AccessToken(jwt)
+            except TokenError:
+                return HttpResponseForbidden()
+        else:
+            return HttpResponseForbidden()
+
         user = User.objects.filter(id=request.POST.get("user")).first()
         if not user or not user.is_authenticated:
             raise ChunkedUploadError(
@@ -85,7 +105,6 @@ def on_completion(self, uploaded_file, request):
                     user.scan_directory, "uploads", device, filename
                 )
             else:
-
                 existing_photo_hash = calculate_hash(
                     user, os.path.join(user.scan_directory, "uploads", device, filename)
                 )