fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add more info to getLoginStatus and enforce stricter access control

Browse source 
AJAX를 많이 사용하는 페이지나 SPA에서 member.getLoginStatus API를 통해
현재 로그인 상태에 대해 더 자세한 정보를 알 수 있도록 함과 동시에,
이 정보를 외부에서 가로채지 못하도록 리퍼러 체크 및 CORS 제한을 추가
This commit is contained in:
Kijin Sung 2022-10-20 16:15:07 +09:00
parent 2ca32e0062
commit ed131897c5
1 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
modules/member/member.model.php
View file

@ -179,8 +179,22 @@ class memberModel extends member
*/ */
public function getLoginStatus() public function getLoginStatus()
{ {
// Check origin
$origin = strval(($_SERVER['HTTP_ORIGIN'] ?? '') ?: ($_SERVER['HTTP_REFERER'] ?? ''));
if ($origin !== '' && $origin !== 'null' && !Rhymix\Framework\URL::isInternalURL($origin))
{
throw new Rhymix\Framework\Exceptions\SecurityViolation();
}
// Add CORS restriction
header('Access-Control-Allow-Origin: ' . rtrim(Rhymix\Framework\Url::getCurrentDomainURL(), '/'));
header('Cross-Origin-Resource-Policy: same-origin');
// Return login status and CSRF token
Context::setResponseMethod('JSON'); Context::setResponseMethod('JSON');
$this->add('status', Rhymix\Framework\Session::getLoginStatus()); $this->add('status', Rhymix\Framework\Session::getLoginStatus());
$this->add('csrf_token', Rhymix\Framework\Session::getGenericToken());
$this->add('last_login', Rhymix\Framework\Session::getLastLoginTime());
} }
/** /**