rixty/SillyTavern
1
0
Fork 0
mirror of https://github.com/SillyTavern/SillyTavern.git synced 2025-06-05 21:59:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implementats CSRF Token

Browse Source
This commit is contained in:
10sa
2023-02-13 22:30:06 +09:00
parent 2dc54a95b5
commit 9490c898c9
4 changed files with 69 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
package.json
View File

@@ -8,7 +8,9 @@
"png-chunks-encode": "^1.0.0", "png-chunks-encode": "^1.0.0",
"png-chunks-extract": "^1.0.0", "png-chunks-extract": "^1.0.0",
"rimraf": "^3.0.2", "rimraf": "^3.0.2",
"sharp": "^0.31.3" "sharp": "^0.31.3",
"csrf-csrf": "^2.2.3",
"cookie-parser": "^1.4.6"
}, },
"name": "TavernAI", "name": "TavernAI",
"version": "1.2.7", "version": "1.2.7",

50
public/index.html
View File

@@ -3,6 +3,7 @@
<head> <head>
<script src="scripts/jquery-3.5.1.min.js"></script> <script src="scripts/jquery-3.5.1.min.js"></script>
<script src="scripts/jquery.transit.min.js"></script> <script src="scripts/jquery.transit.min.js"></script>
<script src="scripts/jquery-cookie-1.4.1.min.js"></script>
<script src="scripts/showdown.min.js"></script> <script src="scripts/showdown.min.js"></script>
<link rel="stylesheet" type="text/css" href="style.css"> <link rel="stylesheet" type="text/css" href="style.css">
<link rel="stylesheet" href="css/bg_load.css"> <link rel="stylesheet" href="css/bg_load.css">
@@ -158,15 +159,23 @@
}, 500); }, 500);
///////////// /////////////
getSettings("def"); var token;
getLastVersion(); $.ajaxPrefilter((options, originalOptions, xhr) => {
//var interval_getSettings = setInterval(getSettings, 1000); xhr.setRequestHeader("X-CSRF-Token", token);
getCharacters(); });
$.get("/csrf-token")
.then(data => {
token = data.token;
getSettings("def");
getLastVersion();
getCharacters();
printMessages();
getBackgrounds();
getUserAvatars();
});
printMessages();
getBackgrounds();
getUserAvatars();
//
$('#characloud_url').click(function(){ $('#characloud_url').click(function(){
window.open('https://boosty.to/tavernai', '_blank'); window.open('https://boosty.to/tavernai', '_blank');
}); });
@@ -306,7 +315,10 @@
const response = await fetch("/getcharacters", { const response = await fetch("/getcharacters", {
method: "POST", method: "POST",
headers: { "Content-Type": "application/json" }, headers: {
"Content-Type": "application/json",
"X-CSRF-Token": token,
},
body: JSON.stringify({ body: JSON.stringify({
                     "": ""                      "": ""
                 })                  })
@@ -340,7 +352,10 @@
const response = await fetch("/getbackgrounds", { const response = await fetch("/getbackgrounds", {
method: "POST", method: "POST",
headers: { "Content-Type": "application/json" }, headers: {
"Content-Type": "application/json",
"X-CSRF-Token": token
},
body: JSON.stringify({ body: JSON.stringify({
                     "": ""                      "": ""
                 })                  })
@@ -364,7 +379,10 @@
is_checked_colab = true; is_checked_colab = true;
const response = await fetch("/iscolab", { const response = await fetch("/iscolab", {
method: "POST", method: "POST",
headers: { "Content-Type": "application/json" }, headers: {
"Content-Type": "application/json",
"X-CSRF-Token": token
},
body: JSON.stringify({ body: JSON.stringify({
                     "": ""                      "": ""
                 })                  })
@@ -430,7 +448,10 @@
async function delBackground(bg) { async function delBackground(bg) {
const response = await fetch("/delbackground", { const response = await fetch("/delbackground", {
method: "POST", method: "POST",
headers: { "Content-Type": "application/json" }, headers: {
"Content-Type": "application/json",
"X-CSRF-Token": token
},
body: JSON.stringify({ body: JSON.stringify({
                     "bg": bg                      "bg": bg
                 })                  })
@@ -2017,7 +2038,10 @@
async function getUserAvatars(){ async function getUserAvatars(){
const response = await fetch("/getuseravatars", { const response = await fetch("/getuseravatars", {
method: "POST", method: "POST",
headers: { "Content-Type": "application/json" }, headers: {
"Content-Type": "application/json",
"X-CSRF-Token": token
},
body: JSON.stringify({ body: JSON.stringify({
                     "": ""                      "": ""
                 })                  })

2
public/scripts/jquery-cookie-1.4.1.min.js vendored Normal file
View File

@@ -0,0 +1,2 @@
/*! jquery.cookie v1.4.1 | MIT */
!function(a){"function"==typeof define&&define.amd?define(["jquery"],a):"object"==typeof exports?a(require("jquery")):a(jQuery)}(function(a){function b(a){return h.raw?a:encodeURIComponent(a)}function c(a){return h.raw?a:decodeURIComponent(a)}function d(a){return b(h.json?JSON.stringify(a):String(a))}function e(a){0===a.indexOf('"')&&(a=a.slice(1,-1).replace(/\\"/g,'"').replace(/\\\\/g,"\\"));try{return a=decodeURIComponent(a.replace(g," ")),h.json?JSON.parse(a):a}catch(b){}}function f(b,c){var d=h.raw?b:e(b);return a.isFunction(c)?c(d):d}var g=/\+/g,h=a.cookie=function(e,g,i){if(void 0!==g&&!a.isFunction(g)){if(i=a.extend({},h.defaults,i),"number"==typeof i.expires){var j=i.expires,k=i.expires=new Date;k.setTime(+k+864e5*j)}return document.cookie=[b(e),"=",d(g),i.expires?"; expires="+i.expires.toUTCString():"",i.path?"; path="+i.path:"",i.domain?"; domain="+i.domain:"",i.secure?"; secure":""].join("")}for(var l=e?void 0:{},m=document.cookie?document.cookie.split("; "):[],n=0,o=m.length;o>n;n++){var p=m[n].split("="),q=c(p.shift()),r=p.join("=");if(e&&e===q){l=f(r,g);break}e||void 0===(r=f(r))||(l[q]=r)}return l};h.defaults={},a.removeCookie=function(b,c){return void 0===a.cookie(b)?!1:(a.cookie(b,"",a.extend({},c,{expires:-1})),!a.cookie(b))}});

27
server.js
View File

@@ -16,6 +16,11 @@ const sharp = require('sharp');
sharp.cache(false); sharp.cache(false);
const path = require('path'); const path = require('path');
const cookieParser = require('cookie-parser');
const crypto = require('crypto');
const doubleCsrf = require('csrf-csrf').doubleCsrf;
const config = require('./config.json'); const config = require('./config.json');
const server_port = config.port; const server_port = config.port;
const whitelist = config.whitelist; const whitelist = config.whitelist;
@@ -49,6 +54,28 @@ var is_colab = false;
const jsonParser = express.json({limit: '100mb'}); const jsonParser = express.json({limit: '100mb'});
const urlencodedParser = express.urlencoded({extended: true, limit: '100mb'}); const urlencodedParser = express.urlencoded({extended: true, limit: '100mb'});
const CSRF_SECRET = crypto.randomBytes(8).toString('hex');
const COOKIES_SECRET = crypto.randomBytes(8).toString('hex');
const { invalidCsrfTokenError, generateToken, doubleCsrfProtection } = doubleCsrf({
getSecret: () => CSRF_SECRET,
cookieName: "X-CSRF-Token",
cookieOptions: {
httpOnly: true,
sameSite: "strict",
},
size: 64,
getTokenFromRequest: (req) => req.headers["x-csrf-token"]
});
app.get("/csrf-token", (req, res) => {
res.json({
"token": generateToken(res)
});
});
app.use(cookieParser(COOKIES_SECRET));
app.use(doubleCsrfProtection);
app.use(function (req, res, next) { //Security app.use(function (req, res, next) { //Security
const clientIp = req.connection.remoteAddress.split(':').pop(); const clientIp = req.connection.remoteAddress.split(':').pop();