work on revising api

master
Kevin Froman 2018-12-19 00:06:25 -06:00
parent a8f8aea35f
commit a148826b39
2 changed files with 39 additions and 3 deletions

View File

@ -25,9 +25,11 @@ import core
from onionrblockapi import Block from onionrblockapi import Block
import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr
API_VERSION = 0
def guessMime(path): def guessMime(path):
''' '''
Guesses the mime type from the input filename Guesses the mime type of a file from the input filename
''' '''
mimetypes = { mimetypes = {
'html' : 'text/html', 'html' : 'text/html',
@ -113,10 +115,45 @@ class API:
logger.info('Running api on %s:%s' % (self.host, self.bindPort)) logger.info('Running api on %s:%s' % (self.host, self.bindPort))
self.httpServer = '' self.httpServer = ''
@app.before_request
def validateRequest():
'''Validate request has set password and is the correct hostname'''
if request.host != '%s:%s' % (self.host, self.bindPort):
abort(403)
try:
if not hmac.compare_digest(request.headers['token'], self.clientToken):
abort(403)
except KeyError:
abort(403)
@app.after_request
def afterReq(resp):
resp.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'"
resp.headers['X-Frame-Options'] = 'deny'
resp.headers['X-Content-Type-Options'] = "nosniff"
resp.headers['X-API'] = API_VERSION
resp.headers['Server'] = 'nginx'
resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch.
return resp
@app.route('/ping')
def ping():
return Respose("pong!")
@app.route('/') @app.route('/')
def hello(): def hello():
return Response("hello client") return Response("hello client")
@app.route('/waitforshare/<name>', methods='post')
def waitforshare():
assert name.isalnum()
if name in self.publicAPI.hideBlocks:
self.publicAPI.hideBlocks.remove(name)
return Response("removed")
else:
self.publicAPI.hideBlocks.append(name)
return Response("added")
@app.route('/shutdown') @app.route('/shutdown')
def shutdown(): def shutdown():
try: try:

View File

@ -167,12 +167,11 @@ class OnionrUtils:
if data != '': if data != '':
data = '&data=' + urllib.parse.quote_plus(data) data = '&data=' + urllib.parse.quote_plus(data)
payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data) payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data)
logger.info(payload)
#payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken) #payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken)
#if data != '': #if data != '':
# payload += '&data=' + urllib.parse.quote_plus(data) # payload += '&data=' + urllib.parse.quote_plus(data)
try: try:
retData = requests.get(payload).text retData = requests.get(payload, headers={'token': config.get('client.webpassword')}).text
except Exception as error: except Exception as error:
if not silent: if not silent:
logger.error('Failed to make local request (command: %s):%s' % (command, error)) logger.error('Failed to make local request (command: %s):%s' % (command, error))