core: allowCors option for Handler

2 years ago · cafe9246c2
parent c347d36e99
commit cafe9246c2
2 changed files with 10 additions and 9 deletions
--- a/packages/hydrooj/src/service/layers/user.ts
+++ b/packages/hydrooj/src/service/layers/user.ts
@ -1,4 +1,4 @@
-import { CsrfTokenError, NotFoundError } from '../../error';
+import { NotFoundError } from '../../error';
 import avatar from '../../lib/avatar';
 import { PERM } from '../../model/builtin';
 import UserModel from '../../model/user';
@ -6,7 +6,7 @@ import type { KoaContext } from '../server';

 export default async (ctx: KoaContext, next) => {
    // User Layer
-    const { request, args, domain } = ctx.HydroContext;
+    const { args, domain } = ctx.HydroContext;
    const domainId = domain ? args.domainId : 'system';
    let user = await UserModel.getById(domainId, ctx.session.uid, ctx.session.scope);
    if (!user) {
@ -21,9 +21,5 @@ export default async (ctx: KoaContext, next) => {
        ctx.pendingError = new NotFoundError(args.domainId);
        args.domainId = 'system';
    }
-    if (request.method === 'post' && request.headers.referer && !ctx.cors) {
-        const host = new URL(request.headers.referer).host;
-        if (host !== request.host) ctx.pendingError = new CsrfTokenError(host);
-    }
    await next();
 };
--- a/packages/hydrooj/src/service/server.ts
+++ b/packages/hydrooj/src/service/server.ts
@ -12,9 +12,9 @@ import WebSocket from 'ws';
 import { Counter, isClass, parseMemoryMB } from '@hydrooj/utils/lib/utils';
 import { Context, Service } from '../context';
 import {
-    HydroError, InvalidOperationError, MethodNotAllowedError,
-    NotFoundError, PermissionError, PrivilegeError,
-    UserFacingError,
+    CsrfTokenError, HydroError, InvalidOperationError,
+    MethodNotAllowedError, NotFoundError, PermissionError,
+    PrivilegeError, UserFacingError,
 } from '../error';
 import { DomainDoc } from '../interface';
 import { Types } from '../lib/validator';
@ -170,6 +170,7 @@ export class HandlerCommon {
 export class Handler extends HandlerCommon {
    loginMethods: any;
    noCheckPermView = false;
+    allowCors = false;
    __param: Record<string, decorators.ParamOption<any>[]>;

    back(body?: any) {
@ -185,6 +186,10 @@ export class Handler extends HandlerCommon {
    }

    async init() {
+        if (this.request.method === 'post' && this.request.headers.referer && !this.context.cors && !this.allowCors) {
+            const host = new URL(this.request.headers.referer).host;
+            if (host !== this.request.host) this.context.pendingError = new CsrfTokenError(host);
+        }
        if (!argv.options.benchmark) await this.limitRate('global', 5, 100);
        if (!this.noCheckPermView && !this.user.hasPriv(PRIV.PRIV_VIEW_ALL_DOMAIN)) this.checkPerm(PERM.PERM_VIEW);
        this.loginMethods = Object.keys(global.Hydro.module.oauth)