[API] disable xsrf for cookie GET requests

Also, list API works now. Only the file isn't downloaded yet.

[API] disable xsrf for cookie GET requests
Also, list API works now. Only the file isn't downloaded yet.
44d898e8 · Przemyslaw Kaminski · 03d73fca · 44d898e8 · 44d898e8 · 44d898e8
Commit 44d898e8 authored Mar 04, 2020 by Przemyslaw Kaminski
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 8 deletions

API.hs src/Gargantext/API.hs +1 -1

List.hs src/Gargantext/API/Ngrams/List.hs +1 -5

Settings.hs src/Gargantext/API/Settings.hs +4 -2

No files found.
--- a/src/Gargantext/API.hs
+++ b/src/Gargantext/API.hs
@@ -208,7 +208,7 @@ type GargAPI' =
           -- auth and capabilities.
          :<|> GargPrivateAPI

-type GargPrivateAPI = SA.Auth '[SA.JWT] AuthenticatedUser :> GargPrivateAPI'
+type GargPrivateAPI = SA.Auth '[SA.JWT, SA.Cookie] AuthenticatedUser :> GargPrivateAPI'

 type GargAdminAPI
              -- Roots endpoint

--- a/src/Gargantext/API/Ngrams/List.hs
+++ b/src/Gargantext/API/Ngrams/List.hs
@@ -24,11 +24,8 @@ module Gargantext.API.Ngrams.List
  where

 import Data.Aeson
-- import qualified Data.ByteString.Lazy as BSL
 import Data.List (zip)
 import Data.Map (Map, toList, fromList)
-- import qualified Data.Text as T
-- import qualified Data.Text.Encoding as TE
 import Network.HTTP.Media ((//), (/:))
 import Servant

@@ -52,7 +49,7 @@ type API = Get '[JSON] NgramsList
      :<|> Get '[HTML] NgramsList

 api :: ListId -> GargServer API
-api l = get l :<|> put l :<|> get l
+api l = get l :<|> put l :<|> getHtml l

 get :: RepoCmdM env err m
    => ListId -> m NgramsList
@@ -65,7 +62,6 @@ getHtml :: RepoCmdM env err m
 getHtml lId = do
  lst <- get lId
  return lst
-  --return $ TE.decodeUtf8 $ BSL.toStrict $ encode lst


 -- TODO : purge list

--- a/src/Gargantext/API/Settings.hs
+++ b/src/Gargantext/API/Settings.hs
@@ -48,7 +48,7 @@ import Data.ByteString (ByteString)
 import qualified Data.ByteString.Lazy as L

 import Servant
-import Servant.Auth.Server (defaultJWTSettings, JWTSettings, CookieSettings, defaultCookieSettings, readKey, writeKey)
+import Servant.Auth.Server (defaultJWTSettings, JWTSettings, CookieSettings(..), XsrfCookieSettings(..), defaultCookieSettings, defaultXsrfCookieSettings, readKey, writeKey)
 import Servant.Client (BaseUrl, parseBaseUrl)
 import qualified Servant.Job.Core
 import Servant.Job.Async (newJobEnv, defaultSettings, HasJobEnv(..), Job)
@@ -106,9 +106,11 @@ devSettings jwkFile = do
    , _sendLoginEmails = LogEmailToConsole
    , _scrapydUrl = fromMaybe (panic "Invalid scrapy URL") $ parseBaseUrl "http://localhost:6800"
    , _fileFolder = "data"
-    , _cookieSettings = defaultCookieSettings -- TODO-SECURITY tune
+    , _cookieSettings = defaultCookieSettings { cookieXsrfSetting = Just xsrfCookieSetting } -- TODO-SECURITY tune
    , _jwtSettings = defaultJWTSettings jwk -- TODO-SECURITY tune
    }
+  where
+    xsrfCookieSetting = defaultXsrfCookieSettings { xsrfExcludeGet = True }