Cleaned up csrf exemptions

Cleaned up models
Added UNIQUE constraint on many-many tables
Added form parsing/ userid from API key lookup in middleware
pull/24/head
Jordan 2014-02-04 15:23:09 -06:00
parent 4c722afe8b
commit 359fa01c1c
4 changed files with 30 additions and 26 deletions

View File

@ -42,7 +42,9 @@ func CreateRouter() *nosurf.CSRFHandler {
// Setup CSRF Protection
csrfHandler := nosurf.New(router)
csrfHandler.ExemptGlob("/api/*/*")
// Exempt API routes and Static files
csrfHandler.ExemptGlob("/api/campaigns*")
csrfHandler.ExemptGlob("/api/groups*")
csrfHandler.ExemptGlob("/static/*")
return csrfHandler
}

View File

@ -26,7 +26,6 @@ func Setup() error {
Conn.AddTableWithName(models.User{}, "users").SetKeys(true, "Id")
Conn.AddTableWithName(models.Campaign{}, "campaigns").SetKeys(true, "Id")
Conn.AddTableWithName(models.Group{}, "groups").SetKeys(true, "Id")
Conn.AddTableWithName(models.GroupTarget{}, "group_target")
if err != nil {
fmt.Println("Database not found, recreating...")
createTablesSQL := []string{
@ -34,8 +33,9 @@ func Setup() error {
`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, hash VARCHAR(60) NOT NULL, api_key VARCHAR(32));`,
`CREATE TABLE campaigns (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, created_date TIMESTAMP NOT NULL, completed_date TIMESTAMP, template TEXT, status TEXT NOT NULL, uid INTEGER, FOREIGN KEY (uid) REFERENCES users(id));`,
`CREATE TABLE targets (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL);`,
`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL);`,
`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id));`,
`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, modified_date TIMESTAMP NOT NULL);`,
`CREATE TABLE user_groups (uid INTEGER NOT NULL, gid INTEGER NOT NULL, FOREIGN KEY (uid) REFERENCES users(id), FOREIGN KEY (gid) REFERENCES groups(id), UNIQUE(uid, gid))`,
`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id), UNIQUE(gid, tid));`,
}
fmt.Println("Creating db at " + config.Conf.DBPath)
//Create the tables needed

View File

@ -5,6 +5,7 @@ import (
ctx "github.com/gorilla/context"
"github.com/jordan-wright/gophish/auth"
"github.com/jordan-wright/gophish/db"
)
// GetContext wraps each request in a function which fills in the context for a given request.
@ -12,6 +13,11 @@ import (
func GetContext(handler http.Handler) http.HandlerFunc {
// Set the context here
return func(w http.ResponseWriter, r *http.Request) {
// Parse the request form
err := r.ParseForm()
if err != nil {
http.Error(w, "Error parsing request", http.StatusInternalServerError)
}
// Set the context appropriately here.
// Set the session
session, _ := auth.Store.Get(r, "gophish")
@ -39,6 +45,12 @@ func RequireAPIKey(handler http.Handler) http.HandlerFunc {
if ak == "" {
JSONError(w, 500, "API Key not set")
} else {
id, err := db.Conn.SelectInt("SELECT id FROM users WHERE api_key=?", ak)
if id == 0 || err != nil {
http.Error(w, "Error: Invalid API Key", http.StatusInternalServerError)
return
}
ctx.Set(r, "user_id", id)
ctx.Set(r, "api_key", ak)
handler.ServeHTTP(w, r)
}

View File

@ -1,11 +1,9 @@
package models
import (
"net/mail"
import
// SMTPServer is used to provide a default SMTP server preference.
"time"
)
type SMTPServer struct {
Host string `json:"host"`
@ -46,11 +44,6 @@ type Campaign struct {
Uid int64 `json:"-"`
}
type UserCampaigns struct {
CampaignId int64
UserId int64
}
type Result struct {
Id int64
TargetId int64
@ -59,16 +52,13 @@ type Result struct {
type Group struct {
Id int64 `json:"id"`
Targets []Target
Uid int64
}
type GroupTarget struct {
Gid int64
Tid int64
Name string `json:"name"`
ModifiedDate time.Time `json:"modified_date" db:"modified_date"`
Targets []Target `json:"targets" db:"-"`
Uid int64 `json:"-"`
}
type Target struct {
Id int64 `json:"-"`
Email mail.Address `json:"email"`
Email string `json:"email"`
}