Fix Markdown preview (#368)

2024-12-22 12:32:40 +00:00 · 2024-11-02 01:05:43 +01:00 · 2024-11-02 01:05:43 +01:00 · d537153785
commit d537153785
parent 97b9fa1100
4 changed files with 11 additions and 6 deletions
--- a/internal/cli/main.go
+++ b/internal/cli/main.go
@ -37,7 +37,7 @@ var CmdStart = cli.Command{

 		Initialize(ctx)

-		go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions")).Start()
+		go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions"), false).Start()
 		go ssh.Start()

 		<-stopCtx.Done()
--- a/internal/web/server.go
+++ b/internal/web/server.go
@ -164,7 +164,7 @@ type Server struct {
 	dev  bool
 }

-func NewServer(isDev bool, sessionsPath string) *Server {
+func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
 	dev = isDev
 	flashStore = sessions.NewCookieStore([]byte("opengist"))
 	encryptKey, _ := utils.GenerateSecretKey(filepath.Join(sessionsPath, "session-encrypt.key"))
@ -245,15 +245,16 @@ func NewServer(isDev bool, sessionsPath string) *Server {
 	// Web based routes
 	g1 := e.Group("")
 	{
-		if !dev {
+		if !ignoreCsrf {
 			g1.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
 				TokenLookup:    "form:_csrf,header:X-CSRF-Token",
 				CookiePath:     "/",
 				CookieHTTPOnly: true,
 				CookieSameSite: http.SameSiteStrictMode,
 			}))
+			g1.Use(csrfInit)
 		}
-		g1.Use(csrfInit)
+
 		g1.GET("/", create, logged)
 		g1.POST("/", processCreate, logged)
 		g1.POST("/preview", preview, logged)
--- a/internal/web/test/server.go
+++ b/internal/web/test/server.go
@ -33,7 +33,7 @@ type testServer struct {

 func newTestServer() (*testServer, error) {
 	s := &testServer{
-		server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions")),
+		server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions"), true),
 	}

 	go s.start()
--- a/public/editor.ts
+++ b/public/editor.ts
@ -73,10 +73,14 @@ document.addEventListener("DOMContentLoaded", () => {
            } else {
                const formData = new FormData();
                formData.append('content', editor.state.doc.toString());
+                let csrf = document.querySelector<HTMLInputElement>('form#create input[name="_csrf"]').value
                fetch(`${baseUrl}/preview`, {
                    method: 'POST',
                    credentials: 'same-origin',
-                    body: formData
+                    body: formData,
+                    headers: {
+                        'X-CSRF-Token': csrf
+                    }
                }).then(r => r.text()).then(r => {
                    let divpreview = dom.querySelector("div.preview") as HTMLElement;
                    divpreview!.innerHTML = r;