Fix 8688gxkuj

2025-01-23 22:40:20 +08:00 · 2024-05-16 17:25:36 -04:00 · 2024-05-16 17:25:36 -04:00 · f042b095f1
commit f042b095f1
parent b68873c5f4
2 changed files with 27 additions and 7 deletions
--- a/packages/backend/src/routers/down.js
+++ b/packages/backend/src/routers/down.js
@ -11,7 +11,7 @@ const { HLRead } = require('../filesystem/hl_operations/hl_read.js');
 // -----------------------------------------------------------------------//
 // GET /down
 // -----------------------------------------------------------------------//
-router.get('/down', auth, fs, express.json(), async (req, res, next)=>{
+router.post('/down', auth, fs, express.json(), async (req, res, next)=>{
    // check subdomain
    if(require('../helpers').subdomain(req) !== 'api')
        next();
@ -20,6 +20,12 @@ router.get('/down', auth, fs, express.json(), async (req, res, next)=>{
    if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
        return res.status(400).send({code: 'account_is_not_verified', message: 'Account is not verified'});

+    // check anti-csrf token
+    const svc_antiCSRF = req.services.get('anti-csrf');
+    if ( ! svc_antiCSRF.consume_token(req.user.uuid, req.body.anti_csrf) ) {
+        return res.status(400).json({ message: 'incorrect anti-CSRF token' });
+    }
+
    // validation
    if(!req.query.path)
        return res.status(400).send('path is required')
--- a/src/helpers.js
+++ b/src/helpers.js
@ -1542,12 +1542,26 @@ window.trigger_download = (paths)=>{
        });
    }

-    urls.forEach(function (e) {                
-        fetch(e.download)                  
-            .then(res => res.blob())                  
-            .then(blob => {                    
-                saveAs(blob, e.filename);                
-            });            
+    urls.forEach(async function (e) {                
+        const anti_csrf = await (async () => {
+            const resp = await fetch(`${window.gui_origin}/get-anticsrf-token`);
+            const { token } = await resp.json();
+            return token;
+        })();
+        fetch(e.download, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': 'Bearer ' + puter.authToken,
+            },
+            body: JSON.stringify({
+                anti_csrf,
+            }),
+        })
+            .then(res => res.blob())
+            .then(blob => {
+                saveAs(blob, e.filename);
+            });
    });
 }