nihonium/nyanimedb
1
0
Fork 1
Code Issues 11 Pull requests Releases Packages 3 Activity Actions

fix: reworked csrf
All checks were successful
Build and Deploy Go App / build (push) Successful in 5m32s
Details
Build and Deploy Go App / deploy (push) Successful in 35s
Details

Browse source
This commit is contained in:
nihonium 2025-12-04 10:12:05 +03:00
parent 475266eef6
commit bd868bb724
Signed by: nihonium
GPG key ID: 0251623741027CFC
16 changed files with 39 additions and 150 deletions
Download patch file Download diff file Expand all files Collapse all files

54
api/_build/openapi.yaml
View file

@ -150,8 +150,6 @@ paths:
description: User not found
'500':
description: Unknown server error
security:
- JwtAuthCookies: []
patch:
operationId: updateUser
summary: Partially update a user account
@ -160,7 +158,6 @@ paths:
Password updates must be done via the dedicated auth-service (`/auth/`).
Fields not provided in the request body remain unchanged.
parameters:
- $ref: '#/components/parameters/csrfTokenHeader'
- name: user_id
in: path
description: User ID (primary key)
@ -229,7 +226,7 @@ paths:
'500':
description: Unknown server error
security:
- JwtAuthCookies: []
XsrfAuthHeader: []
'/users/{user_id}/titles':
get:
operationId: getUserTitles
@ -405,14 +402,11 @@ paths:
description: User or title not found
'500':
description: Unknown server error
security:
- JwtAuthCookies: []
patch:
operationId: updateUserTitle
summary: Update a usertitle
description: User updating title list of watched
parameters:
- $ref: '#/components/parameters/csrfTokenHeader'
- name: user_id
in: path
required: true
@ -455,13 +449,12 @@ paths:
'500':
description: Internal server error
security:
- JwtAuthCookies: []
- XsrfAuthHeader: []
delete:
operationId: deleteUserTitle
summary: Delete a usertitle
description: User deleting title from list of watched
parameters:
- $ref: '#/components/parameters/csrfTokenHeader'
- name: user_id
in: path
required: true
@ -486,42 +479,9 @@ paths:
'500':
description: Internal server error
security:
- JwtAuthCookies: []
- XsrfAuthHeader: []
components:
parameters:
accessToken:
name: access_token
in: cookie
required: true
schema:
type: string
format: jwt
example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x.y
description: |
JWT access token.
csrfToken:
name: xsrf_token
in: cookie
required: true
schema:
type: string
pattern: '^[a-zA-Z0-9_-]{32,64}$'
example: abc123def456ghi789jkl012mno345pqr
description: |
Anti-CSRF token (Double Submit Cookie pattern).
Stored in non-HttpOnly cookie, readable by JavaScript.
Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).
csrfTokenHeader:
name: X-XSRF-TOKEN
in: header
required: true
schema:
type: string
pattern: '^[a-zA-Z0-9_-]{32,64}$'
description: |
Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
Required for all state-changing requests (POST/PUT/PATCH/DELETE).
example: abc123def456ghi789jkl012mno345pqr
cursor:
in: query
name: cursor
@ -780,3 +740,11 @@ components:
Review:
type: object
additionalProperties: true
securitySchemes:
XsrfAuthHeader:
type: apiKey
in: header
name: X-XSRF-TOKEN
description: |
Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
Required for all state-changing requests (POST/PUT/PATCH/DELETE).