fix: consume swagger api with CSRF

2026-01-08 15:00:05 +00:00 · 2022-05-01 06:07:17 +05:00
parent 6d34206bbc
commit 5aaac24080
6 changed files with 67 additions and 25 deletions
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -1,10 +1,23 @@
+import path from 'path'
 import express from 'express'
 import { Request, Route, Tags, Post, Body, Get } from 'tsoa'
+import { readFile } from '@sasjs/utils'
+
 import User from '../model/User'
+import { getWebBuildFolderPath } from '../utils'

@Route('/')
@Tags('Web')
 export class WebController {
+  /**
+   * @summary Render index.html
+   *
+   */
+  @Get('/')
+  public async home(@Request() req: express.Request) {
+    return home(req)
+  }
+
  /**
   * @summary Accept a valid username/password
   *
@@ -31,6 +44,19 @@ export class WebController {
  }
 }

+const home = async (req: express.Request) => {
+  const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')
+
+  // Attention! Cannot use fileExists here,
+  // due to limitation after building executable
+  const content = await readFile(indexHtmlPath)
+
+  req.res?.cookie('XSRF-TOKEN', req.csrfToken())
+  req.res?.setHeader('Content-Type', 'text/html')
+
+  return content
+}
+
 const login = async (
  req: express.Request,
  { username, password }: LoginPayload
--- a/api/src/routes/api/index.ts
+++ b/api/src/routes/api/index.ts
@@ -36,12 +36,22 @@ router.use('/group', desktopRestrict, groupRouter)
 router.use('/stp', authenticateAccessToken, stpRouter)
 router.use('/code', authenticateAccessToken, codeRouter)
 router.use('/user', desktopRestrict, userRouter)
+
 router.use(
  '/',
  swaggerUi.serve,
  swaggerUi.setup(undefined, {
    swaggerOptions: {
-      url: '/swagger.yaml'
+      url: '/swagger.yaml',
+      requestInterceptor: (request: any) => {
+        request.credentials = 'include'
+
+        const cookie = document.cookie
+        const startIndex = cookie.indexOf('XSRF-TOKEN')
+        const csrf = cookie.slice(startIndex + 11).split('; ')[0]
+        request.headers['X-XSRF-TOKEN'] = csrf
+        return request
+      }
    }
  })
 )
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -1,21 +1,14 @@
-import path from 'path'
 import express from 'express'
-import { readFile } from '@sasjs/utils'
 import { WebController } from '../../controllers/web'
-import { getWebBuildFolderPath, loginWebValidation } from '../../utils'
+import { loginWebValidation } from '../../utils'

 const webRouter = express.Router()
+const controller = new WebController()

 webRouter.get('/', async (req, res) => {
-  const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')
-
  try {
-    // Attention! Cannot use fileExists here, due to limitation after building executable
-    const content = await readFile(indexHtmlPath)
-
-    res.cookie('XSRF-TOKEN', req.csrfToken())
-    res.setHeader('Content-Type', 'text/html')
-    return res.send(content)
+    const response = await controller.home(req)
+    return res.send(response)
  } catch (_) {
    return res.send('Web Build is not present')
  }
@@ -25,7 +18,6 @@ webRouter.post('/login', async (req, res) => {
  const { error, value: body } = loginWebValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)

-  const controller = new WebController()
  try {
    const response = await controller.login(req, body)
    res.send(response)
@@ -35,10 +27,9 @@ webRouter.post('/login', async (req, res) => {
 })

 webRouter.get('/logout', async (req, res) => {
-  const controller = new WebController()
  try {
    await controller.logout(req)
-    res.status(200).send()
+    res.status(200).send('OK!')
  } catch (err: any) {
    res.status(400).send(err.toString())
  }