gtoriadotnet
/
GraphictoriaWeb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

i hate cors

This commit is contained in:
gtoriadotnet 2021-12-22 00:22:54 -05:00
parent 4723884800
commit 44c28080d0
9 changed files with 92 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
web/app/Http/Controllers/MaintenanceController.php Normal file
View File

@ -0,0 +1,69 @@
<?php
namespace App\Http\Controllers;
use App\Models\WebsiteConfiguration;
use Illuminate\Http\Request;
use Illuminate\Support\Carbon;
use Symfony\Component\HttpFoundation\Cookie;
class MaintenanceController extends Controller
{
/**
* Handles the maintenance bypass request.
*
* @return Response
*/
public function bypass(Request $request)
{
$password = $request->input('password');
$buttons = $request->input('buttons');
if($password && $buttons)
{
$mtconf = json_decode(WebsiteConfiguration::whereName('MaintenancePassword')->first()->value);
if($password == $mtconf->password)
{
$btns = array_slice($buttons, -count($mtconf->combination));
$data = json_decode(file_get_contents(storage_path('framework/down')), true);
if(isset($data['secret']) && $btns === $mtconf->combination)
{
$trustedHosts = explode(',', env('TRUSTED_HOSTS'));
$origin = parse_url($request->headers->get('origin'), PHP_URL_HOST);
$passCheck = false;
foreach($trustedHosts as &$host)
{
if(str_ends_with($origin, $host))
$passCheck = true;
}
$expiresAt = Carbon::now()->addHours(24);
$bypassCookie = new Cookie('gt_constraint', base64_encode(json_encode([
'expires_at' => $expiresAt->getTimestamp(),
'mac' => hash_hmac('SHA256', $expiresAt->getTimestamp(), $data['secret']),
])), $expiresAt);
if($passCheck)
$bypassCookie = $bypassCookie->withDomain('.' . $origin);
return response('')
->withCookie($bypassCookie);
}
}
return response('')
->setStatusCode(403);
}
else
{
return response('{"errors":[{"code":400,"message":"BadRequest"}]}')
->setStatusCode(400)
->header('Cache-Control', 'private')
->header('Content-Type', 'application/json; charset=utf-8');
}
}
}

6
web/app/Http/Middleware/Cors.php
View File

@ -34,6 +34,8 @@ class Cors
->setStatusCode(204) ->setStatusCode(204)
->header('Access-Control-Allow-Origin', $allowedOrigin) ->header('Access-Control-Allow-Origin', $allowedOrigin)
->header('Access-Control-Allow-Methods', '*') ->header('Access-Control-Allow-Methods', '*')
->header('Access-Control-Allow-Headers', '*')
->header('Access-Control-Allow-Credentials', 'true')
->header('Access-Control-Max-Age', '86400'); ->header('Access-Control-Max-Age', '86400');
} }
@ -43,6 +45,10 @@ class Cors
{ {
$nextClosure $nextClosure
->header('Access-Control-Allow-Origin', $allowedOrigin) ->header('Access-Control-Allow-Origin', $allowedOrigin)
->header('Access-Control-Allow-Methods', '*')
->header('Access-Control-Allow-Headers', '*')
->header('Access-Control-Allow-Credentials', 'true')
->header('Access-Control-Max-Age', '86400')
->header('Vary', 'origin'); ->header('Vary', 'origin');
} }

11
web/app/Http/Middleware/PreventRequestsDuringMaintenance.php
View File

@ -39,19 +39,14 @@ class PreventRequestsDuringMaintenance
* *
* @param \Illuminate\Http\Request $request * @param \Illuminate\Http\Request $request
* @param \Closure $next * @param \Closure $next
* @param string $group
* @return mixed * @return mixed
* *
* @throws \Symfony\Component\HttpKernel\Exception\HttpException * @throws \Symfony\Component\HttpKernel\Exception\HttpException
*/ */
public function handle($request, Closure $next, $group = null) public function handle($request, Closure $next)
{ {
if ($this->app->isDownForMaintenance()) { if ($this->app->isDownForMaintenance()) {
$data = json_decode(file_get_contents($this->app->storagePath().'/framework/down'), true); $data = json_decode(file_get_contents($this->app->storagePath().'/framework/down'), true);
if (isset($data['secret']) && $request->path() === $data['secret']) {
return $this->bypassResponse($data['secret']);
}
if ($this->hasValidBypassCookie($request, $data) || if ($this->hasValidBypassCookie($request, $data) ||
$this->inExceptArray($request)) { $this->inExceptArray($request)) {
@ -76,9 +71,9 @@ class PreventRequestsDuringMaintenance
protected function hasValidBypassCookie($request, array $data) protected function hasValidBypassCookie($request, array $data)
{ {
return isset($data['secret']) && return isset($data['secret']) &&
$request->cookie('laravel_maintenance') && $request->cookie('gt_constraint') &&
MaintenanceModeBypassCookie::isValid( MaintenanceModeBypassCookie::isValid(
$request->cookie('laravel_maintenance'), $request->cookie('gt_constraint'),
$data['secret'] $data['secret']
); );
} }

4
web/app/Providers/RouteServiceProvider.php
View File

@ -18,7 +18,9 @@ class RouteServiceProvider extends ServiceProvider
* @var string * @var string
*/ */
public const HOME = '/home'; public const HOME = '/home';
protected $namespace = 'App\Http\Controllers';
/** /**
* The controller namespace for the application. * The controller namespace for the application.
* *

2
web/database/seeders/WebConfigurationSeeder.php
View File

@ -19,7 +19,7 @@ class WebConfigurationSeeder extends Seeder
'name' => 'MaintenancePassword', 'name' => 'MaintenancePassword',
'value' => json_encode( 'value' => json_encode(
[ [
'combination' => ['g','t','o','r','i','a'], 'combination' => [0,7,8,9,10,11],
'password' => '@bs0lut3lyM@55!v3P@55w0rd' 'password' => '@bs0lut3lyM@55!v3P@55w0rd'
]) ])
]); // please please please please please please please change the default password ]); // please please please please please please please change the default password

2
web/resources/js/layouts/App.js vendored
View File

@ -25,6 +25,8 @@ import { Copyright } from '../Pages/Legal/Copyright.js';
import { Privacy } from '../Pages/Legal/Privacy.js'; import { Privacy } from '../Pages/Legal/Privacy.js';
import { Terms } from '../Pages/Legal/Terms.js'; import { Terms } from '../Pages/Legal/Terms.js';
axios.defaults.withCredentials = true
var url = Config.BaseUrl.replace('http://', ''); var url = Config.BaseUrl.replace('http://', '');
var protocol = Config.Protocol; var protocol = Config.Protocol;

7
web/resources/js/pages/Games.js vendored
View File

@ -31,9 +31,10 @@ class Games extends React.Component {
SetTitle('Games'); SetTitle('Games');
axios.get(protocol + 'apis.' + url + '/games/metadata').then((response) => { axios.get(protocol + 'apis.' + url + '/games/metadata')
app.setState({loading: !(response.data.available == false), offline: !response.data.available}); .then((response) => {
}); app.setState({loading: !(response.data.available == false), offline: !response.data.available});
});
} }
render() render()

2
web/resources/js/pages/Maintenance.js vendored
View File

@ -43,7 +43,7 @@ function DoButton(position, state)
'buttons': ButtonHistory 'buttons': ButtonHistory
}) })
.then((response) => { .then((response) => {
console.log(response); window.location.reload();
}); });
} }

8
web/routes/apis.php
View File

@ -20,13 +20,11 @@ Route::get('/', function(){
return 'API OK'; return 'API OK';
}); });
Route::get('/banners/data', [BannerController::class, 'getBanners']); Route::get('/banners/data', 'BannerController@getBanners');
Route::get('/games/metadata', [GamesController::class, 'isAvailable']); Route::get('/games/metadata', 'GamesController@isAvailable');
Route::post('/maintenance/bypass', function(){ Route::post('/maintenance/bypass', 'MaintenanceController@bypass');
return 'test';
});
Route::fallback(function(){ Route::fallback(function(){
return response('{"errors":[{"code":404,"message":"NotFound"}]}', 404) return response('{"errors":[{"code":404,"message":"NotFound"}]}', 404)