work on revising api
This commit is contained in:
		
							parent
							
								
									a8f8aea35f
								
							
						
					
					
						commit
						a148826b39
					
				
					 2 changed files with 39 additions and 3 deletions
				
			
		|  | @ -25,9 +25,11 @@ import core | ||||||
| from onionrblockapi import Block | from onionrblockapi import Block | ||||||
| import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr | import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr | ||||||
| 
 | 
 | ||||||
|  | API_VERSION = 0 | ||||||
|  | 
 | ||||||
| def guessMime(path): | def guessMime(path): | ||||||
|     ''' |     ''' | ||||||
|         Guesses the mime type from the input filename |         Guesses the mime type of a file from the input filename | ||||||
|     ''' |     ''' | ||||||
|     mimetypes = { |     mimetypes = { | ||||||
|         'html' : 'text/html', |         'html' : 'text/html', | ||||||
|  | @ -113,10 +115,45 @@ class API: | ||||||
|         logger.info('Running api on %s:%s' % (self.host, self.bindPort)) |         logger.info('Running api on %s:%s' % (self.host, self.bindPort)) | ||||||
|         self.httpServer = '' |         self.httpServer = '' | ||||||
| 
 | 
 | ||||||
|  |         @app.before_request | ||||||
|  |         def validateRequest(): | ||||||
|  |             '''Validate request has set password and is the correct hostname''' | ||||||
|  |             if request.host != '%s:%s' % (self.host, self.bindPort): | ||||||
|  |                 abort(403) | ||||||
|  |             try: | ||||||
|  |                 if not hmac.compare_digest(request.headers['token'], self.clientToken): | ||||||
|  |                     abort(403) | ||||||
|  |             except KeyError: | ||||||
|  |                 abort(403) | ||||||
|  |          | ||||||
|  |         @app.after_request | ||||||
|  |         def afterReq(resp): | ||||||
|  |             resp.headers["Content-Security-Policy"] =  "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'" | ||||||
|  |             resp.headers['X-Frame-Options'] = 'deny' | ||||||
|  |             resp.headers['X-Content-Type-Options'] = "nosniff" | ||||||
|  |             resp.headers['X-API'] = API_VERSION | ||||||
|  |             resp.headers['Server'] = 'nginx' | ||||||
|  |             resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch. | ||||||
|  |             return resp | ||||||
|  | 
 | ||||||
|  |         @app.route('/ping') | ||||||
|  |         def ping(): | ||||||
|  |             return Respose("pong!") | ||||||
|  | 
 | ||||||
|         @app.route('/') |         @app.route('/') | ||||||
|         def hello(): |         def hello(): | ||||||
|             return Response("hello client") |             return Response("hello client") | ||||||
|          |          | ||||||
|  |         @app.route('/waitforshare/<name>', methods='post') | ||||||
|  |         def waitforshare(): | ||||||
|  |             assert name.isalnum() | ||||||
|  |             if name in self.publicAPI.hideBlocks: | ||||||
|  |                 self.publicAPI.hideBlocks.remove(name) | ||||||
|  |                 return Response("removed") | ||||||
|  |             else: | ||||||
|  |                 self.publicAPI.hideBlocks.append(name) | ||||||
|  |                 return Response("added") | ||||||
|  | 
 | ||||||
|         @app.route('/shutdown') |         @app.route('/shutdown') | ||||||
|         def shutdown(): |         def shutdown(): | ||||||
|             try: |             try: | ||||||
|  |  | ||||||
|  | @ -167,12 +167,11 @@ class OnionrUtils: | ||||||
|         if data != '': |         if data != '': | ||||||
|             data = '&data=' + urllib.parse.quote_plus(data) |             data = '&data=' + urllib.parse.quote_plus(data) | ||||||
|         payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data) |         payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data) | ||||||
|         logger.info(payload) |  | ||||||
|         #payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken) |         #payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken) | ||||||
|         #if data != '': |         #if data != '': | ||||||
|         #    payload += '&data=' + urllib.parse.quote_plus(data) |         #    payload += '&data=' + urllib.parse.quote_plus(data) | ||||||
|         try: |         try: | ||||||
|             retData = requests.get(payload).text |             retData = requests.get(payload, headers={'token': config.get('client.webpassword')}).text | ||||||
|         except Exception as error: |         except Exception as error: | ||||||
|             if not silent: |             if not silent: | ||||||
|                 logger.error('Failed to make local request (command: %s):%s' % (command, error)) |                 logger.error('Failed to make local request (command: %s):%s' % (command, error)) | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue