feat: validate referer on all routes

2023-08-10 22:56:49 +01:00 · 2023-08-10 22:56:49 +01:00 · d3958fc22c
commit d3958fc22c
parent 159e1ad65d
1 changed files with 9 additions and 7 deletions
--- a/OliverBooth/Controllers/BlogApiController.cs
+++ b/OliverBooth/Controllers/BlogApiController.cs
@ -19,20 +19,15 @@ public sealed class BlogApiController : ControllerBase
    [Route("count")]
    public IActionResult Count()
    {
+        if (!ValidateReferer()) return NotFound();
        return Ok(new { count = _blogService.AllPosts.Count });
    }

    [Route("all/{skip:int?}/{take:int?}")]
    public IActionResult GetAllBlogPosts(int skip = 0, int take = -1)
    {
+        if (!ValidateReferer()) return NotFound();
        if (take == -1) take = _blogService.AllPosts.Count;
-
-        var referer = Request.Headers["Referer"].ToString();
-        if (!referer.StartsWith(Url.PageLink("/Blog/Index")!))
-        {
-            return NotFound();
-        }
-
        return Ok(_blogService.AllPosts.Skip(skip).Take(take).Select(post => new
        {
            id = post.Id,
@ -60,6 +55,7 @@ public sealed class BlogApiController : ControllerBase
    [Route("author/{id:int}")]
    public IActionResult GetAuthor(int id)
    {
+        if (!ValidateReferer()) return NotFound();
        if (!_blogService.TryGetAuthor(id, out Author? author)) return NotFound();

        return Ok(new
@ -68,4 +64,10 @@ public sealed class BlogApiController : ControllerBase
            avatarHash = author.AvatarHash,
        });
    }
+    
+    private bool ValidateReferer()
+    {
+        var referer = Request.Headers["Referer"].ToString();
+        return referer.StartsWith(Url.PageLink("/Blog/Index")!);
+    }
 }