Allow "GET" API calls and "Restart Station" button.

AzuraCast · Aug 28, 2021 · 888e110 · 888e110
1 parent 5a2f1a4
commit 888e110
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/src/Middleware/Auth/ApiAuth.php b/src/Middleware/Auth/ApiAuth.php
@@ -51,24 +51,29 @@ protected function getApiUser(ServerRequestInterface $request): ?Entity\User
         }
 
         // Fallback to session login if available.
-        $csrfKey = $request->getHeaderLine('X-API-CSRF');
-        if (empty($csrfKey) && !$this->environment->isTesting()) {
-            return null;
-        }
-
         $auth = new Auth(
             userRepo:    $this->userRepo,
             session:     $request->getAttribute(ServerRequest::ATTR_SESSION),
             environment: $this->environment,
         );
 
         if ($auth->isLoggedIn()) {
+            $user = $auth->getLoggedInUser();
+            if ('GET' === $request->getMethod()) {
+                return $user;
+            }
+
+            $csrfKey = $request->getHeaderLine('X-API-CSRF');
+            if (empty($csrfKey) && !$this->environment->isTesting()) {
+                return null;
+            }
+
             $csrf = $request->getAttribute(ServerRequest::ATTR_SESSION_CSRF);
 
             if ($csrf instanceof Csrf) {
                 try {
                     $csrf->verify($csrfKey, self::API_CSRF_NAMESPACE);
-                    return $auth->getLoggedInUser();
+                    return $user;
                 } catch (CsrfValidationException) {
                 }
             }

diff --git a/src/View.php b/src/View.php
@@ -127,6 +127,7 @@ public function setRequest(?ServerRequestInterface $request): void
                     'auth' => $request->getAttribute(ServerRequest::ATTR_AUTH),
                     'acl' => $request->getAttribute(ServerRequest::ATTR_ACL),
                     'customization' => $request->getAttribute(ServerRequest::ATTR_CUSTOMIZATION),
+                    'csrf' => $request->getAttribute(ServerRequest::ATTR_SESSION_CSRF),
                     'flash' => $request->getAttribute(ServerRequest::ATTR_SESSION_FLASH),
                     'user' => $request->getAttribute(ServerRequest::ATTR_USER),
                 ]

diff --git a/templates/stations/sidebar.js.phtml b/templates/stations/sidebar.js.phtml
@@ -24,6 +24,11 @@ $(function () {
 
                 $.ajax({
                     type: 'POST',
+                    headers: {
+                        "X-API-CSRF": <?=$this->escapeJs(
+                            $csrf->generate(\App\Middleware\Auth\ApiAuth::API_CSRF_NAMESPACE)
+                        ) ?>
+                    },
                     url: btn.attr('href'),
                     success: function (data) {
                         // Only restart if the user isn't on a form page