client/web: add csrf protection to web client api

Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-08-16 18:52:31 -04:00
parent 77ff705545
commit 077bbb8403
11 changed files with 245 additions and 47 deletions
--- a/client/web/api.go
+++ b/client/web/api.go
@ -0,0 +1,41 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package web
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gorilla/csrf"
+	"tailscale.com/util/httpm"
+)
+
+type api struct {
+	s *Server
+}
+
+// ServeHTTP serves requests for the web client api.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (a *api) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	user, err := authorize(w, r)
+	if err != nil {
+		return
+	}
+	path := strings.TrimPrefix(r.URL.Path, "/api")
+	switch path {
+	case "/data":
+		switch r.Method {
+		case httpm.GET:
+			a.s.serveGetNodeDataJSON(w, r, user)
+		case httpm.POST:
+			a.s.servePostNodeUpdate(w, r)
+		default:
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		}
+		return
+	}
+	http.Error(w, "invalid endpoint", http.StatusNotFound)
+}