Fixed #267

- Added csrf middleware to management portal mux - Added csrf token to all html templates - Added csrf validation to all endpoints - Optimized some old endpoints implementation
2025-08-06 21:28:30 +02:00 · 2024-07-24 21:58:44 +08:00
parent b1c5bc2963
commit f595da92a1
45 changed files with 535 additions and 307 deletions
--- a/src/web/snippet/accessRuleEditor.html
+++ b/src/web/snippet/accessRuleEditor.html
@@ -3,9 +3,11 @@
  <head>
      <!-- Notes: This should be open in its original path-->
      <meta charset="utf-8">
+      <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
      <link rel="stylesheet" href="../script/semantic/semantic.min.css">
      <script src="../script/jquery-3.6.0.min.js"></script>
      <script src="../script/semantic/semantic.min.js"></script>
+      <script src="../script/utils.js"></script>
      <style>
        #refreshAccessRuleListBtn{
            position: absolute;
@@ -94,7 +96,7 @@
        $("#accessRuleForm input[name='accessRuleName']").val("");
        $("#accessRuleForm textarea[name='description']").val("");

-        $.ajax({
+        $.cjax({
            url: "/api/access/create",
            method: "POST",
            data: {
@@ -162,7 +164,7 @@
        console.log('Access Rule Name:', accessRuleName);
        console.log('Description:', description);

-        $.ajax({
+        $.cjax({
            url: "/api/access/update",
            method: "POST",
            data: {
@@ -238,7 +240,7 @@
        }
        let accessRuleName = $("#modifyRuleInfo input[name='accessRuleName']").val();
        if (confirm("Confirm removing access rule " + accessRuleName + "?")){
-            $.ajax({
+            $.cjax({
                url: "/api/access/remove",
                data: {
                    "id": accessRuleUUID
--- a/src/web/snippet/acme.html
+++ b/src/web/snippet/acme.html
@@ -3,9 +3,11 @@
  <head>
      <!-- Notes: This should be open in its original path-->
      <meta charset="utf-8">
+      <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
      <link rel="stylesheet" href="../script/semantic/semantic.min.css">
      <script src="../script/jquery-3.6.0.min.js"></script>
      <script src="../script/semantic/semantic.min.js"></script>
+      <script src="../script/utils.js"></script>
      <style>
        .disabled.table{
          opacity: 0.5;
@@ -234,8 +236,9 @@
    initRenewerConfigFromFile();

    function saveEmailToConfig(btn){
-      $.ajax({
+      $.cjax({
        url: "/api/acme/autoRenew/email",
+        method: "POST",
        data: {set: $("#caRegisterEmail").val()},
        success: function(data){
          if (data.error != undefined){
@@ -256,27 +259,29 @@

    function toggleAutoRenew(){
      var enabled = $("#enableCertAutoRenew").parent().checkbox("is checked");
-      $.post("/api/acme/autoRenew/enable?enable=" + enabled, function(data){
-        if (data.error){
-          parent.msgbox(data.error, false, 5000);
-          if (enabled){
-            enableTrigerOnChangeEvent = false;
-            $("#enableCertAutoRenew").parent().checkbox("set unchecked");
-            enableTrigerOnChangeEvent = true;
-          }
-          if (parent && parent.setACMEEnableStates){
-            parent.setACMEEnableStates(!enabled);
-          }
-        }else{
-          $("#enableToggleSucc").stop().finish().fadeIn("fast").delay(3000).fadeOut("fast");
-          if (parent && parent.setACMEEnableStates){
-            parent.setACMEEnableStates(enabled);
+      $.cjax({
+        url: "/api/acme/autoRenew/enable",
+        method: "POST",
+        data: {"enable": enabled},
+        success: function(data){
+          if (data.error){
+            parent.msgbox(data.error, false, 5000);
+            if (enabled){
+              enableTrigerOnChangeEvent = false;
+              $("#enableCertAutoRenew").parent().checkbox("set unchecked");
+              enableTrigerOnChangeEvent = true;
+            }
+            if (parent && parent.setACMEEnableStates){
+               parent.setACMEEnableStates(!enabled);
+            }
+          }else{
+            $("#enableToggleSucc").stop().finish().fadeIn("fast").delay(3000).fadeOut("fast");
+            if (parent && parent.setACMEEnableStates){
+              parent.setACMEEnableStates(enabled);
+            }
          }
        }
      });
-
-      
-      
    }

    //Render the domains table that exists in this zoraxy host
@@ -630,7 +635,7 @@
        return;
      }

-      $.ajax({
+      $.cjax({
        url: "/api/acme/autoRenew/setDNS",
        method: "POST",
        data: {
@@ -843,8 +848,9 @@
    function saveAutoRenewPolicy(){
      let autoRenewAll = $("#renewAllSupported").parent().checkbox("is checked");
      if (autoRenewAll == true){
-        $.ajax({
+        $.cjax({
          url: "/api/acme/autoRenew/setDomains",
+          method: "POST",
          data: {opr: "setAuto"},
          success: function(data){
            parent.msgbox("Renew policy rule updated")
@@ -856,8 +862,9 @@
          checkedNames.push($(this).attr('name'));
        });

-        $.ajax({
+        $.cjax({
          url: "/api/acme/autoRenew/setDomains",
+          method: "POST",
          data: {opr: "setSelected", domains: JSON.stringify(checkedNames)},
          success: function(data){
            parent.msgbox("Renew policy rule updated")
--- a/src/web/snippet/advanceStatsOprs.html
+++ b/src/web/snippet/advanceStatsOprs.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
    </head>
    <body>
        <br>
@@ -46,7 +48,7 @@

            function handleResetStats(){
                if (confirm("Confirm remove statistics from " + startDate + " to " + endDate +"?")){
-                    $.ajax({
+                    $.cjax({
                        url: "/api/analytic/resetRange?start=" + startDate + "&end=" + endDate,
                        method: "DELETE",
                        success: function(data){
--- a/src/web/snippet/aliasEditor.html
+++ b/src/web/snippet/aliasEditor.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
    </head>
    <body>
        <br>
@@ -71,7 +73,7 @@
            }

            function initAliasNames(){
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/detail",
                    method: "POST",
                    data: {
@@ -130,7 +132,7 @@
            }

            function saveCurrentAliasList(callback=undefined){
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/setAlias",
                    method: "POST",
                    data:{
--- a/src/web/snippet/basicAuthEditor.html
+++ b/src/web/snippet/basicAuthEditor.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
    </head>
    <body>
        <br>
@@ -174,7 +176,7 @@
                    parent.msgbox("Matching prefix cannot be empty!", false, 5000);
                    return;
                }
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/auth/exceptions/add",
                    data:{
                        ep: editingEndpoint.ep,
@@ -195,7 +197,7 @@

            function removeExceptionPath(object){
                let matchingPrefix = $(object).attr("prefix");
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/auth/exceptions/delete",
                    data:{
                        ep: editingEndpoint.ep,
@@ -290,7 +292,7 @@
            }

            function saveCredentials(){
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/updateCredentials",
                    method: "POST",
                    data: {
--- a/src/web/snippet/configTools.html
+++ b/src/web/snippet/configTools.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
    </head>
    <body>
        <br>
@@ -70,10 +72,10 @@
                }
            }

-            document.getElementById("uploadForm").addEventListener("submit", function(event) {
+            $("#uploadForm").submit(function(event) {
                event.preventDefault(); // Prevent the form from submitting normally

-                var fileInput = document.getElementById("fileInput");
+                var fileInput = $("#fileInput")[0];
                var file = fileInput.files[0];
                if (!file) {
                    alert("Missing file.");
@@ -83,18 +85,19 @@
                var formData = new FormData();
                formData.append("file", file);

-                var xhr = new XMLHttpRequest();
-                xhr.open("POST", "/api/conf/import", true);
-                xhr.onreadystatechange = function() {
-                    if (xhr.readyState === XMLHttpRequest.DONE) {
-                        if (xhr.status === 200) {
-                            parent.msgbox("Config restore succeed. Restart Zoraxy to apply changes.")
-                        } else {
-                            parent.msgbox("Restore failed: " + xhr.responseText, false, 5000);
-                        }
+                $.cjax({
+                    url: "/api/conf/import",
+                    type: "POST",
+                    data: formData,
+                    processData: false, // Not to process the data
+                    contentType: false, // Not to set contentType
+                    success: function(response) {
+                        parent.msgbox("Config restore succeed. Restart Zoraxy to apply changes.");
+                    },
+                    error: function(xhr) {
+                        parent.msgbox("Restore failed: " + xhr.responseText, false, 5000);
                    }
-                };
-                xhr.send(formData);
+                });
            });
        </script>
    </body>
--- a/src/web/snippet/customHeaders.html
+++ b/src/web/snippet/customHeaders.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
        <style>
            .ui.tabular.menu .item.narrowpadding{
                padding: 0.6em !important;
@@ -92,9 +94,6 @@
                        </div>
                        <div class="content">
                            <br>
-                            <div class="ui yellow message">
-                                <p><i class="exclamation triangle icon"></i>Settings in this section are for advanced users. Invalid settings might cause werid, unexpected behavior.</p>
-                            </div>
                            <div class="ui container">
                                <h4>Overwrite Host Header</h4>
                                <p>Manual override the automatic "Host" header rewrite logic. Leave empty for automatic.</p>
@@ -112,7 +111,9 @@
                                    <label>Remove Hop-by-hop Header<br>
                                    <small>This should be ON by default</small></label>
                                </div>
-                                <div class="ui divider"></div>
+                                <div class="ui yellow message">
+                                    <p><i class="exclamation triangle icon"></i>Settings in this section are for advanced users. Invalid settings might cause werid, unexpected behavior.</p>
+                                </div>
                            </div>
                        </div>
                    </div>
@@ -247,8 +248,9 @@
                    }
                }

-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/header/add",
+                    method: "POST",
                    data: {
                        "type": getHeaderEditMode(),
                        "domain": editingEndpoint.ep,
@@ -279,10 +281,10 @@
            }

            function deleteCustomHeader(name){
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/header/remove",
+                    method: "POST",
                    data: {
-                        //"type": editingEndpoint.ept,
                        "domain": editingEndpoint.ep,
                        "name": name,
                    },
@@ -299,6 +301,7 @@
                $("#headerTable").html(`<tr><td colspan="3"><i class="ui loading spinner icon"></i> Loading</td></tr>`);
                $.ajax({
                    url: "/api/proxy/header/list",
+                    method: "GET",
                    data: {
                        "type": editingEndpoint.ept,
                        "domain": editingEndpoint.ep,
@@ -307,7 +310,6 @@
                        if (data.error != undefined){
                            alert(data.error);
                        }else{
-                           
                            $("#headerTable").html("");
                            data.forEach(header => {
                                let editModeIcon = header.IsRemove?`<i class="ui red times circle icon"></i>`:`<i class="ui green add circle icon"></i>`;
@@ -351,7 +353,7 @@
                    /* Bind events to toggles */
                    $("#enableHSTS").on("change", function(){
                        let HSTSEnabled = $("#enableHSTS")[0].checked;
-                        $.ajax({
+                        $.cjax({
                            url: "/api/proxy/header/handleHSTS",
                            method: "POST",
                            data: {
@@ -426,7 +428,7 @@
                            $("#permissionPolicyEditor").addClass("disabled");
                        }

-                        $.ajax({
+                        $.cjax({
                            url: "/api/proxy/header/handlePermissionPolicy",
                            method: "POST",
                            data: {
@@ -532,7 +534,7 @@
                let permissionPolicy = generatePermissionPolicyObject();
                let domain = editingEndpoint.ep;

-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/header/handlePermissionPolicy",
                    method: "PUT",
                    data: {
@@ -576,7 +578,7 @@

            function updateManualHostOverwriteVal(callback=undefined){
                let newHostname = $("#manualHostOverwrite").val().trim();
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/header/handleHostOverwrite",
                    method: "POST",
                    data: {
@@ -615,7 +617,7 @@
                        //Bind event to the checkbox
                        $("#removeHopByHop").on("change", function(evt){
                            let isChecked = $(this)[0].checked;
-                            $.ajax({
+                            $.cjax({
                                url: "/api/proxy/header/handleHopByHop",
                                method: "POST",
                                data: {
--- a/src/web/snippet/hostAccessEditor.html
+++ b/src/web/snippet/hostAccessEditor.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
        <style>
            .accessRule{
                cursor: pointer;
@@ -124,12 +126,10 @@
                        }
                    }
                });
-
-
            }

            initAccessRuleList(function(){
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/detail",
                    method: "POST",
                    data: {"type":"host", "epname": editingEndpoint.ep },
@@ -160,7 +160,7 @@
            function applyChangeAndClose(){
                let newAccessRuleID = $(".accessRule.active").attr("ruleid");
                let targetEndpoint = editingEndpoint.ep;
-                $.ajax({
+                $.cjax({
                    url: "/api/access/attach",
                    method: "POST",
                    data: {
--- a/src/web/snippet/placeholder.html
+++ b/src/web/snippet/placeholder.html
@@ -2,9 +2,11 @@
 <html>
    <head>
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
        <style>
            body{
                height: 100%;
--- a/src/web/snippet/upstreams.html
+++ b/src/web/snippet/upstreams.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
        <style>
            .upstreamActions{
                position: absolute;
@@ -133,7 +135,7 @@
            function initOriginList(){
                $.ajax({
                    url: "/api/proxy/upstream/list",
-                    method: "POST",
+                    method: "GET",
                    data: {
                        "type":"host",
                        "ep": editingEndpoint.ep
@@ -284,8 +286,9 @@
                }else{
                    //URL does not contains https or http protocol tag
                    //sniff header
-                    $.ajax({
+                    $.cjax({
                            url: "/api/proxy/tlscheck",
+                            method: "POST",
                            data: {url: targetDomain},
                            success: function(data){
                                if (data.error != undefined){
@@ -313,7 +316,7 @@
                    return;
                }

-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/upstream/add",
                    method: "POST",
                    data:{
@@ -365,7 +368,7 @@
                let newConfig = getUpstreamSettingFromDOM(targetDOM);
                let isActive = $(targetDOM).find(".enableState")[0].checked;
                console.log(newConfig);
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/upstream/update",
                    method: "POST",
                    data: {
@@ -418,8 +421,9 @@
                }else{
                    //URL does not contains https or http protocol tag
                    //sniff header
-                    $.ajax({
+                    $.cjax({
                            url: "/api/proxy/tlscheck",
+                            method: "POST",
                            data: {url: targetDomain},
                            success: function(data){
                                if (data.error != undefined){
@@ -460,7 +464,7 @@

            //Set a weight of a upstream
            function setUpstreamWeight(originIP, newWeight){
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/upstream/setPriority",
                    method: "POST",
                    data: {
@@ -489,7 +493,7 @@
                    return;
                }
                //Remove the upstream
-                $.ajax({
+                $.cjax({
                    url: "/api/proxy/upstream/remove",
                    method: "POST",
                    data: {