Fix 8688gxkuj

KernelDeimos · KernelDeimos · commit f042b095f13d · 2024-05-16T17:25:41.000-04:00
diff --git a/packages/backend/src/routers/down.js b/packages/backend/src/routers/down.js
@@ -11,7 +11,7 @@ const { HLRead } = require('../filesystem/hl_operations/hl_read.js');
 // -----------------------------------------------------------------------//
 // GET /down
 // -----------------------------------------------------------------------//
-router.get('/down', auth, fs, express.json(), async (req, res, next)=>{
+router.post('/down', auth, fs, express.json(), async (req, res, next)=>{
     // check subdomain
     if(require('../helpers').subdomain(req) !== 'api')
         next();
@@ -20,6 +20,12 @@ router.get('/down', auth, fs, express.json(), async (req, res, next)=>{
     if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
         return res.status(400).send({code: 'account_is_not_verified', message: 'Account is not verified'});
 
+    // check anti-csrf token
+    const svc_antiCSRF = req.services.get('anti-csrf');
+    if ( ! svc_antiCSRF.consume_token(req.user.uuid, req.body.anti_csrf) ) {
+        return res.status(400).json({ message: 'incorrect anti-CSRF token' });
+    }
+
     // validation
     if(!req.query.path)
         return res.status(400).send('path is required')
diff --git a/src/helpers.js b/src/helpers.js
@@ -1542,12 +1542,26 @@ window.trigger_download = (paths)=>{
         });
     }
 
-    urls.forEach(function (e) {                
-        fetch(e.download)                  
-            .then(res => res.blob())                  
-            .then(blob => {                    
-                saveAs(blob, e.filename);                
-            });            
+    urls.forEach(async function (e) {                
+        const anti_csrf = await (async () => {
+            const resp = await fetch(`${window.gui_origin}/get-anticsrf-token`);
+            const { token } = await resp.json();
+            return token;
+        })();
+        fetch(e.download, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': 'Bearer ' + puter.authToken,
+            },
+            body: JSON.stringify({
+                anti_csrf,
+            }),
+        })
+            .then(res => res.blob())
+            .then(blob => {
+                saveAs(blob, e.filename);
+            });
     });
 }
 
