oliverbooth/oliverbooth.dev
oliverbooth/oliverbooth.dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

feat: validate referer on all routes

Browse Source
This commit is contained in:
Oliver Booth 2023-08-10 22:56:49 +01:00
parent 159e1ad65d
commit d3958fc22c
Signed by: oliverbooth
GPG Key ID: 725DB725A0D9EE61
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
OliverBooth/Controllers/BlogApiController.cs
View File

@ -19,20 +19,15 @@ public sealed class BlogApiController : ControllerBase
[Route("count")] [Route("count")]
public IActionResult Count() public IActionResult Count()
{ {
if (!ValidateReferer()) return NotFound();
return Ok(new { count = _blogService.AllPosts.Count }); return Ok(new { count = _blogService.AllPosts.Count });
} }
[Route("all/{skip:int?}/{take:int?}")] [Route("all/{skip:int?}/{take:int?}")]
public IActionResult GetAllBlogPosts(int skip = 0, int take = -1) public IActionResult GetAllBlogPosts(int skip = 0, int take = -1)
{ {
if (!ValidateReferer()) return NotFound();
if (take == -1) take = _blogService.AllPosts.Count; if (take == -1) take = _blogService.AllPosts.Count;
var referer = Request.Headers["Referer"].ToString();
if (!referer.StartsWith(Url.PageLink("/Blog/Index")!))
{
return NotFound();
}
return Ok(_blogService.AllPosts.Skip(skip).Take(take).Select(post => new return Ok(_blogService.AllPosts.Skip(skip).Take(take).Select(post => new
{ {
id = post.Id, id = post.Id,
@ -60,6 +55,7 @@ public sealed class BlogApiController : ControllerBase
[Route("author/{id:int}")] [Route("author/{id:int}")]
public IActionResult GetAuthor(int id) public IActionResult GetAuthor(int id)
{ {
if (!ValidateReferer()) return NotFound();
if (!_blogService.TryGetAuthor(id, out Author? author)) return NotFound(); if (!_blogService.TryGetAuthor(id, out Author? author)) return NotFound();
return Ok(new return Ok(new
@ -68,4 +64,10 @@ public sealed class BlogApiController : ControllerBase
avatarHash = author.AvatarHash, avatarHash = author.AvatarHash,
}); });
} }
private bool ValidateReferer()
{
var referer = Request.Headers["Referer"].ToString();
return referer.StartsWith(Url.PageLink("/Blog/Index")!);
}
} }