happyDomain/happyDomain
happyDomain/happyDomain
1
0
Fork 0
Code Issues 1 Pull Requests 10 Releases 1 Activity

Disallow no-ip/DynDNS updates except through Basic/Bearer Authorization to avoid CSRF
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details

Browse Source
This commit is contained in:
nemunaire 2024-05-28 17:22:04 +02:00
parent 4773dfa502
commit 465652a9e9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/ddns.go
View File

@ -38,6 +38,11 @@ func declareApiCompatRoutes(cfg *config.Options, router *gin.RouterGroup) {
}
func noipUpdateRoute(c *gin.Context) {
if auth_method, ok := c.Get("AuthMethod"); !ok || (auth_method != "basic" && auth_method != "bearer") {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "To avoid security issues (CSRF), you can only use /nic/update with the HTTP Bearer Authorization header. Generate a key in your account settings."})
return
}
user := myUser(c)
if user == nil {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "User not defined"})