work on revising api

master
Kevin Froman 2018-12-19 00:06:25 -06:00
parent a8f8aea35f
commit a148826b39
2 changed files with 39 additions and 3 deletions

View File

@ -25,9 +25,11 @@ import core
from onionrblockapi import Block
import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr
API_VERSION = 0
def guessMime(path):
'''
Guesses the mime type from the input filename
Guesses the mime type of a file from the input filename
'''
mimetypes = {
'html' : 'text/html',
@ -113,10 +115,45 @@ class API:
logger.info('Running api on %s:%s' % (self.host, self.bindPort))
self.httpServer = ''
@app.before_request
def validateRequest():
'''Validate request has set password and is the correct hostname'''
if request.host != '%s:%s' % (self.host, self.bindPort):
abort(403)
try:
if not hmac.compare_digest(request.headers['token'], self.clientToken):
abort(403)
except KeyError:
abort(403)
@app.after_request
def afterReq(resp):
resp.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'"
resp.headers['X-Frame-Options'] = 'deny'
resp.headers['X-Content-Type-Options'] = "nosniff"
resp.headers['X-API'] = API_VERSION
resp.headers['Server'] = 'nginx'
resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch.
return resp
@app.route('/ping')
def ping():
return Respose("pong!")
@app.route('/')
def hello():
return Response("hello client")
@app.route('/waitforshare/<name>', methods='post')
def waitforshare():
assert name.isalnum()
if name in self.publicAPI.hideBlocks:
self.publicAPI.hideBlocks.remove(name)
return Response("removed")
else:
self.publicAPI.hideBlocks.append(name)
return Response("added")
@app.route('/shutdown')
def shutdown():
try:

View File

@ -167,12 +167,11 @@ class OnionrUtils:
if data != '':
data = '&data=' + urllib.parse.quote_plus(data)
payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data)
logger.info(payload)
#payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken)
#if data != '':
# payload += '&data=' + urllib.parse.quote_plus(data)
try:
retData = requests.get(payload).text
retData = requests.get(payload, headers={'token': config.get('client.webpassword')}).text
except Exception as error:
if not silent:
logger.error('Failed to make local request (command: %s):%s' % (command, error))