work on revising api

2018-12-19 00:06:25 -06:00 · 2018-12-19 00:06:25 -06:00 · a148826b39
parent a8f8aea35f
commit a148826b39
2 changed files with 39 additions and 3 deletions
--- a/onionr/api.py
+++ b/onionr/api.py
@ -25,9 +25,11 @@ import core
 from onionrblockapi import Block
 import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr

+API_VERSION = 0
+
 def guessMime(path):
    '''
-        Guesses the mime type from the input filename
+        Guesses the mime type of a file from the input filename
    '''
    mimetypes = {
        'html' : 'text/html',
@ -113,10 +115,45 @@ class API:
        logger.info('Running api on %s:%s' % (self.host, self.bindPort))
        self.httpServer = ''

+        @app.before_request
+        def validateRequest():
+            '''Validate request has set password and is the correct hostname'''
+            if request.host != '%s:%s' % (self.host, self.bindPort):
+                abort(403)
+            try:
+                if not hmac.compare_digest(request.headers['token'], self.clientToken):
+                    abort(403)
+            except KeyError:
+                abort(403)
+        
+        @app.after_request
+        def afterReq(resp):
+            resp.headers["Content-Security-Policy"] =  "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'"
+            resp.headers['X-Frame-Options'] = 'deny'
+            resp.headers['X-Content-Type-Options'] = "nosniff"
+            resp.headers['X-API'] = API_VERSION
+            resp.headers['Server'] = 'nginx'
+            resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch.
+            return resp
+
+        @app.route('/ping')
+        def ping():
+            return Respose("pong!")
+
        @app.route('/')
        def hello():
            return Response("hello client")
        
+        @app.route('/waitforshare/<name>', methods='post')
+        def waitforshare():
+            assert name.isalnum()
+            if name in self.publicAPI.hideBlocks:
+                self.publicAPI.hideBlocks.remove(name)
+                return Response("removed")
+            else:
+                self.publicAPI.hideBlocks.append(name)
+                return Response("added")
+
        @app.route('/shutdown')
        def shutdown():
            try:
--- a/onionr/onionrutils.py
+++ b/onionr/onionrutils.py
@ -167,12 +167,11 @@ class OnionrUtils:
        if data != '':
            data = '&data=' + urllib.parse.quote_plus(data)
        payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data)
-        logger.info(payload)
        #payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken)
        #if data != '':
        #    payload += '&data=' + urllib.parse.quote_plus(data)
        try:
-            retData = requests.get(payload).text
+            retData = requests.get(payload, headers={'token': config.get('client.webpassword')}).text
        except Exception as error:
            if not silent:
                logger.error('Failed to make local request (command: %s):%s' % (command, error))