Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

* POST endpoints now accept only application/json.

  JSON was always supported, but we now explicitly reject
  regular form posts.

  Thanks to @kcwu and @favonia for pointing out a CSRF vector.
  • Loading branch information...
commit e2577e151f570562c970f343ce1d6b2304c33ae7 1 parent 0e8fb40
@audreyt authored
Showing with 33 additions and 10 deletions.
  1. +15 −2 README.mkdn
  2. +10 −5 main.js
  3. +8 −3 src/main.ls
View
17 README.mkdn
@@ -22,14 +22,27 @@
## REST API
+Note that POST endpoints accept only `application/json` requests,
+and will reject regular form posts.
+
### GET /_/page
Fetch the page as a serialization in SocialCalc save format.
### PUT /_/page
Replaces the page with a serialization in SocialCalc save format.
-### POST /_/page?command=...
-Runs one or more commands specified as the `command` POST data parameter.
+### POST /_
+
+Takes a JSON structure with `room` and `snapshot` fields.
+
+Replaces the page with a serialization in Socialtext save format.
+
+### POST /_/page
+
+Takes a JSON structure with a `command` field (either as a string
+or an array of strings).
+
+Runs one or more commands specified in the `command` field.
### GET /_/page/cells
Returns a JSON representation of all defined cells in the page.
View
15 main.js
@@ -2,7 +2,7 @@
var join$ = [].join;
this.include = function(){
var DB, SC, KEY, BASEPATH, HMAC_CACHE, hmac, ref$, Text, Html, Csv, Json, RealBin, sendFile, IO, api;
- this.use('bodyParser', this.app.router, this.express['static'](__dirname));
+ this.use('json', this.app.router, this.express['static'](__dirname));
this.include('dotcloud');
this.include('player-broadcast');
this.include('player-graph');
@@ -170,9 +170,9 @@
});
this.post({
'/_/:room': function(){
- var room, command, this$ = this;
+ var room, command, ref$, this$ = this;
room = this.params.room;
- command = this.body.command;
+ command = (ref$ = this.body) != null ? ref$.command : void 8;
if (!command) {
this.response.type(Text);
return this.response.send(400, 'Please send command');
@@ -198,8 +198,13 @@
});
this.post({
'/_': function(){
- var ref$, room, snapshot, this$ = this;
- ref$ = this.body, room = ref$.room, snapshot = ref$.snapshot;
+ var room, ref$, snapshot, this$ = this;
+ room = (ref$ = this.body) != null ? ref$.room : void 8;
+ snapshot = (ref$ = this.body) != null ? ref$.snapshot : void 8;
+ if (!(room && snapshot)) {
+ this.response.type(Text);
+ return this.response.send(400, 'Please send room and snapshot');
+ }
return SC._put(room, snapshot, function(){
this$.response.type(Text);
return this$.response.send(201, 'OK');
View
11 src/main.ls
@@ -1,5 +1,5 @@
@include = ->
- @use \bodyParser, @app.router, @express.static __dirname
+ @use \json, @app.router, @express.static __dirname
@include \dotcloud
@include \player-broadcast
@@ -11,6 +11,7 @@
KEY = @KEY
BASEPATH = @BASEPATH
+
HMAC_CACHE = {}
hmac = if !KEY then -> it else -> HMAC_CACHE[it] ||= do
encoder = require \crypto .createHmac \sha256 KEY
@@ -94,7 +95,7 @@
@post '/_/:room': ->
{room} = @params
- {command} = @body
+ command = @body?command
unless command
@response.type Text
return @response.send 400 'Please send command'
@@ -109,7 +110,11 @@
@response.json 202 {command}
@post '/_': ->
- {room, snapshot} = @body
+ room = @body?room
+ snapshot = @body?snapshot
+ unless room and snapshot
+ @response.type Text
+ return @response.send 400 'Please send room and snapshot'
<~ SC._put room, snapshot
@response.type Text
@response.send 201 \OK
Please sign in to comment.
Something went wrong with that request. Please try again.