Mirrored_Repos/veloren
1
0
Fork 0
mirror of https://gitlab.com/veloren/veloren.git synced 2024-08-30 18:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

add comments to warn devs of security impacts

Browse Source
This commit is contained in:
Marcel Märtens 2024-03-18 13:37:50 +01:00
parent dc419e28c0
commit 9e2fdb1c88
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server-cli/src/web/ui/api.rs
View File

@ -64,6 +64,8 @@ async fn log_users<B>(
Ok(next.run(req).await) Ok(next.run(req).await)
} }
//TODO: do security audit before we extend this api with more security relevant
// functionality (e.g. account management)
pub fn router(web_ui_request_s: UiRequestSender, secret_token: String) -> Router { pub fn router(web_ui_request_s: UiRequestSender, secret_token: String) -> Router {
let token = UiApiToken { secret_token }; let token = UiApiToken { secret_token };
let ip_addrs = IpAddresses::default(); let ip_addrs = IpAddresses::default();

2
server-cli/src/web/ui/mod.rs
View File

@ -67,6 +67,8 @@ Ui is only accessible from 127.0.0.1. Usage of proxies is forbidden.
let cookie = format!("X-Secret-Token={}; SameSite=Strict", token.secret_token); let cookie = format!("X-Secret-Token={}; SameSite=Strict", token.secret_token);
//Note: at this point we give a user our secret for the Api, this is only
// intended for local users, protect this route against the whole internet
response.headers_mut().insert( response.headers_mut().insert(
SET_COOKIE, SET_COOKIE,
HeaderValue::from_str(&cookie).expect("An invalid secret-token for ui was provided"), HeaderValue::from_str(&cookie).expect("An invalid secret-token for ui was provided"),