mirror of https://github.com/gophish/gophish
Cleaned up csrf exemptions
Cleaned up models Added UNIQUE constraint on many-many tables Added form parsing/ userid from API key lookup in middlewarepull/24/head
parent
4c722afe8b
commit
359fa01c1c
|
@ -37,12 +37,14 @@ func CreateRouter() *nosurf.CSRFHandler {
|
||||||
api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
|
api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
|
||||||
api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))
|
api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))
|
||||||
|
|
||||||
//Setup static file serving
|
// Setup static file serving
|
||||||
router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/")))
|
router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/")))
|
||||||
|
|
||||||
//Setup CSRF Protection
|
// Setup CSRF Protection
|
||||||
csrfHandler := nosurf.New(router)
|
csrfHandler := nosurf.New(router)
|
||||||
csrfHandler.ExemptGlob("/api/*/*")
|
// Exempt API routes and Static files
|
||||||
|
csrfHandler.ExemptGlob("/api/campaigns*")
|
||||||
|
csrfHandler.ExemptGlob("/api/groups*")
|
||||||
csrfHandler.ExemptGlob("/static/*")
|
csrfHandler.ExemptGlob("/static/*")
|
||||||
return csrfHandler
|
return csrfHandler
|
||||||
}
|
}
|
||||||
|
|
6
db/db.go
6
db/db.go
|
@ -26,7 +26,6 @@ func Setup() error {
|
||||||
Conn.AddTableWithName(models.User{}, "users").SetKeys(true, "Id")
|
Conn.AddTableWithName(models.User{}, "users").SetKeys(true, "Id")
|
||||||
Conn.AddTableWithName(models.Campaign{}, "campaigns").SetKeys(true, "Id")
|
Conn.AddTableWithName(models.Campaign{}, "campaigns").SetKeys(true, "Id")
|
||||||
Conn.AddTableWithName(models.Group{}, "groups").SetKeys(true, "Id")
|
Conn.AddTableWithName(models.Group{}, "groups").SetKeys(true, "Id")
|
||||||
Conn.AddTableWithName(models.GroupTarget{}, "group_target")
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println("Database not found, recreating...")
|
fmt.Println("Database not found, recreating...")
|
||||||
createTablesSQL := []string{
|
createTablesSQL := []string{
|
||||||
|
@ -34,8 +33,9 @@ func Setup() error {
|
||||||
`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, hash VARCHAR(60) NOT NULL, api_key VARCHAR(32));`,
|
`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, hash VARCHAR(60) NOT NULL, api_key VARCHAR(32));`,
|
||||||
`CREATE TABLE campaigns (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, created_date TIMESTAMP NOT NULL, completed_date TIMESTAMP, template TEXT, status TEXT NOT NULL, uid INTEGER, FOREIGN KEY (uid) REFERENCES users(id));`,
|
`CREATE TABLE campaigns (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, created_date TIMESTAMP NOT NULL, completed_date TIMESTAMP, template TEXT, status TEXT NOT NULL, uid INTEGER, FOREIGN KEY (uid) REFERENCES users(id));`,
|
||||||
`CREATE TABLE targets (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL);`,
|
`CREATE TABLE targets (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL);`,
|
||||||
`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL);`,
|
`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, modified_date TIMESTAMP NOT NULL);`,
|
||||||
`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id));`,
|
`CREATE TABLE user_groups (uid INTEGER NOT NULL, gid INTEGER NOT NULL, FOREIGN KEY (uid) REFERENCES users(id), FOREIGN KEY (gid) REFERENCES groups(id), UNIQUE(uid, gid))`,
|
||||||
|
`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id), UNIQUE(gid, tid));`,
|
||||||
}
|
}
|
||||||
fmt.Println("Creating db at " + config.Conf.DBPath)
|
fmt.Println("Creating db at " + config.Conf.DBPath)
|
||||||
//Create the tables needed
|
//Create the tables needed
|
||||||
|
|
|
@ -5,6 +5,7 @@ import (
|
||||||
|
|
||||||
ctx "github.com/gorilla/context"
|
ctx "github.com/gorilla/context"
|
||||||
"github.com/jordan-wright/gophish/auth"
|
"github.com/jordan-wright/gophish/auth"
|
||||||
|
"github.com/jordan-wright/gophish/db"
|
||||||
)
|
)
|
||||||
|
|
||||||
// GetContext wraps each request in a function which fills in the context for a given request.
|
// GetContext wraps each request in a function which fills in the context for a given request.
|
||||||
|
@ -12,6 +13,11 @@ import (
|
||||||
func GetContext(handler http.Handler) http.HandlerFunc {
|
func GetContext(handler http.Handler) http.HandlerFunc {
|
||||||
// Set the context here
|
// Set the context here
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
// Parse the request form
|
||||||
|
err := r.ParseForm()
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, "Error parsing request", http.StatusInternalServerError)
|
||||||
|
}
|
||||||
// Set the context appropriately here.
|
// Set the context appropriately here.
|
||||||
// Set the session
|
// Set the session
|
||||||
session, _ := auth.Store.Get(r, "gophish")
|
session, _ := auth.Store.Get(r, "gophish")
|
||||||
|
@ -39,6 +45,12 @@ func RequireAPIKey(handler http.Handler) http.HandlerFunc {
|
||||||
if ak == "" {
|
if ak == "" {
|
||||||
JSONError(w, 500, "API Key not set")
|
JSONError(w, 500, "API Key not set")
|
||||||
} else {
|
} else {
|
||||||
|
id, err := db.Conn.SelectInt("SELECT id FROM users WHERE api_key=?", ak)
|
||||||
|
if id == 0 || err != nil {
|
||||||
|
http.Error(w, "Error: Invalid API Key", http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ctx.Set(r, "user_id", id)
|
||||||
ctx.Set(r, "api_key", ak)
|
ctx.Set(r, "api_key", ak)
|
||||||
handler.ServeHTTP(w, r)
|
handler.ServeHTTP(w, r)
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,9 @@
|
||||||
package models
|
package models
|
||||||
|
|
||||||
import (
|
import
|
||||||
"net/mail"
|
|
||||||
|
|
||||||
// SMTPServer is used to provide a default SMTP server preference.
|
// SMTPServer is used to provide a default SMTP server preference.
|
||||||
"time"
|
"time"
|
||||||
)
|
|
||||||
|
|
||||||
type SMTPServer struct {
|
type SMTPServer struct {
|
||||||
Host string `json:"host"`
|
Host string `json:"host"`
|
||||||
|
@ -46,11 +44,6 @@ type Campaign struct {
|
||||||
Uid int64 `json:"-"`
|
Uid int64 `json:"-"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type UserCampaigns struct {
|
|
||||||
CampaignId int64
|
|
||||||
UserId int64
|
|
||||||
}
|
|
||||||
|
|
||||||
type Result struct {
|
type Result struct {
|
||||||
Id int64
|
Id int64
|
||||||
TargetId int64
|
TargetId int64
|
||||||
|
@ -59,16 +52,13 @@ type Result struct {
|
||||||
|
|
||||||
type Group struct {
|
type Group struct {
|
||||||
Id int64 `json:"id"`
|
Id int64 `json:"id"`
|
||||||
Targets []Target
|
Name string `json:"name"`
|
||||||
Uid int64
|
ModifiedDate time.Time `json:"modified_date" db:"modified_date"`
|
||||||
}
|
Targets []Target `json:"targets" db:"-"`
|
||||||
|
Uid int64 `json:"-"`
|
||||||
type GroupTarget struct {
|
|
||||||
Gid int64
|
|
||||||
Tid int64
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type Target struct {
|
type Target struct {
|
||||||
Id int64 `json:"-"`
|
Id int64 `json:"-"`
|
||||||
Email mail.Address `json:"email"`
|
Email string `json:"email"`
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue