Fixed #267

- Added csrf middleware to management portal mux - Added csrf token to all html templates - Added csrf validation to all endpoints - Optimized some old endpoints implementation
2025-08-07 21:58:29 +02:00 · 2024-07-24 21:58:44 +08:00
parent b1c5bc2963
commit f595da92a1
45 changed files with 535 additions and 307 deletions
--- a/src/web/snippet/configTools.html
+++ b/src/web/snippet/configTools.html
@@ -3,9 +3,11 @@
    <head>
        <!-- Notes: This should be open in its original path-->
        <meta charset="utf-8">
+        <meta name="zoraxy.csrf.Token" content="{{.csrfToken}}">
        <link rel="stylesheet" href="../script/semantic/semantic.min.css">
        <script src="../script/jquery-3.6.0.min.js"></script>
        <script src="../script/semantic/semantic.min.js"></script>
+        <script src="../script/utils.js"></script>
    </head>
    <body>
        <br>
@@ -70,10 +72,10 @@
                }
            }

-            document.getElementById("uploadForm").addEventListener("submit", function(event) {
+            $("#uploadForm").submit(function(event) {
                event.preventDefault(); // Prevent the form from submitting normally

-                var fileInput = document.getElementById("fileInput");
+                var fileInput = $("#fileInput")[0];
                var file = fileInput.files[0];
                if (!file) {
                    alert("Missing file.");
@@ -83,18 +85,19 @@
                var formData = new FormData();
                formData.append("file", file);

-                var xhr = new XMLHttpRequest();
-                xhr.open("POST", "/api/conf/import", true);
-                xhr.onreadystatechange = function() {
-                    if (xhr.readyState === XMLHttpRequest.DONE) {
-                        if (xhr.status === 200) {
-                            parent.msgbox("Config restore succeed. Restart Zoraxy to apply changes.")
-                        } else {
-                            parent.msgbox("Restore failed: " + xhr.responseText, false, 5000);
-                        }
+                $.cjax({
+                    url: "/api/conf/import",
+                    type: "POST",
+                    data: formData,
+                    processData: false, // Not to process the data
+                    contentType: false, // Not to set contentType
+                    success: function(response) {
+                        parent.msgbox("Config restore succeed. Restart Zoraxy to apply changes.");
+                    },
+                    error: function(xhr) {
+                        parent.msgbox("Restore failed: " + xhr.responseText, false, 5000);
                    }
-                };
-                xhr.send(formData);
+                });
            });
        </script>
    </body>