feat: validate referer on all routes

This commit is contained in:
Oliver Booth 2023-08-10 22:56:49 +01:00
parent 159e1ad65d
commit d3958fc22c
Signed by: oliverbooth
GPG Key ID: 725DB725A0D9EE61

View File

@ -19,20 +19,15 @@ public sealed class BlogApiController : ControllerBase
[Route("count")]
public IActionResult Count()
{
if (!ValidateReferer()) return NotFound();
return Ok(new { count = _blogService.AllPosts.Count });
}
[Route("all/{skip:int?}/{take:int?}")]
public IActionResult GetAllBlogPosts(int skip = 0, int take = -1)
{
if (!ValidateReferer()) return NotFound();
if (take == -1) take = _blogService.AllPosts.Count;
var referer = Request.Headers["Referer"].ToString();
if (!referer.StartsWith(Url.PageLink("/Blog/Index")!))
{
return NotFound();
}
return Ok(_blogService.AllPosts.Skip(skip).Take(take).Select(post => new
{
id = post.Id,
@ -60,6 +55,7 @@ public sealed class BlogApiController : ControllerBase
[Route("author/{id:int}")]
public IActionResult GetAuthor(int id)
{
if (!ValidateReferer()) return NotFound();
if (!_blogService.TryGetAuthor(id, out Author? author)) return NotFound();
return Ok(new
@ -68,4 +64,10 @@ public sealed class BlogApiController : ControllerBase
avatarHash = author.AvatarHash,
});
}
private bool ValidateReferer()
{
var referer = Request.Headers["Referer"].ToString();
return referer.StartsWith(Url.PageLink("/Blog/Index")!);
}
}