Merge pull request #820 from AnthonyMichaelTDM/issue819

put plugin API on separate mux not protected by CSRF
2025-09-19 10:39:40 +02:00 · 2025-09-13 23:16:27 +08:00
parent c745d82cf3 e2c0fe3abf
commit 6efab48d33
3 changed files with 17 additions and 7 deletions
--- a/example/plugins/plugin2plugin-comms-peer1/www/index.html
+++ b/example/plugins/plugin2plugin-comms-peer1/www/index.html
@@ -21,12 +21,12 @@
            z-index: 1000;
        }
        .sent-message {
-            background-color: #d4edda;
+            background-color: var(--theme_bg_primary);
            border-left: 5px solid #155724;
            animation: fadeIn 0.5s;
        }
        .received-message {
-            background-color: #cce5ff;
+            background-color: var(--theme_bg_secondary);
            border-left: 5px solid #004085;
            animation: fadeIn 0.5s;
        }
--- a/example/plugins/plugin2plugin-comms-peer2/www/index.html
+++ b/example/plugins/plugin2plugin-comms-peer2/www/index.html
@@ -21,12 +21,12 @@
            z-index: 1000;
        }
        .sent-message {
-            background-color: #d4edda;
+            background-color: var(--theme_bg_primary);
            border-left: 5px solid #155724;
            animation: fadeIn 0.5s;
        }
        .received-message {
-            background-color: #cce5ff;
+            background-color: var(--theme_bg_secondary);
            border-left: 5px solid #004085;
            animation: fadeIn 0.5s;
        }
--- a/src/main.go
+++ b/src/main.go
@@ -115,9 +115,19 @@ func main() {
 	//Initiate management interface APIs
 	requireAuth = !(*noauth)
 	initAPIs(webminPanelMux)
-	initRestAPI(webminPanelMux)

-	//Start the reverse proxy server in go routine
+	// Create a new plugin API mux
+	pluginAPIMux := http.NewServeMux()
+	initRestAPI(pluginAPIMux)
+
+	// Create a parent mux to route /plugin endpoints without CSRF, others with CSRF
+	parentMux := http.NewServeMux()
+	// /plugin (rest API) endpoints: no CSRF
+	parentMux.Handle("/plugin/", pluginAPIMux)
+	// all other endpoints: with CSRF
+	parentMux.Handle("/", csrfMiddleware(webminPanelMux))
+
+	// Start the reverse proxy server in go routine
 	go func() {
 		ReverseProxtInit()
 	}()
@@ -134,7 +144,7 @@ func main() {
 		SystemWideLogger.Println(SYSTEM_NAME + " started. Visit control panel at http://" + *webUIPort)
 	}

-	err = http.ListenAndServe(*webUIPort, csrfMiddleware(webminPanelMux))
+	err = http.ListenAndServe(*webUIPort, parentMux)

 	if err != nil {
 		log.Fatal(err)