Cleaned up csrf exemptions

Cleaned up models Added UNIQUE constraint on many-many tables Added form parsing/ userid from API key lookup in middleware
2024-11-15 00:37:14 +00:00 · 2014-02-04 15:23:09 -06:00 · 2014-02-04 15:23:09 -06:00 · 359fa01c1c
commit 359fa01c1c
parent 4c722afe8b
4 changed files with 30 additions and 26 deletions
--- a/controllers/route.go
+++ b/controllers/route.go
@ -37,12 +37,14 @@ func CreateRouter() *nosurf.CSRFHandler {
 	api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
 	api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))

-	//Setup static file serving
+	// Setup static file serving
 	router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/")))

-	//Setup CSRF Protection
+	// Setup CSRF Protection
 	csrfHandler := nosurf.New(router)
-	csrfHandler.ExemptGlob("/api/*/*")
+	// Exempt API routes and Static files
+	csrfHandler.ExemptGlob("/api/campaigns*")
+	csrfHandler.ExemptGlob("/api/groups*")
 	csrfHandler.ExemptGlob("/static/*")
 	return csrfHandler
 }
--- a/db/db.go
+++ b/db/db.go
@ -26,7 +26,6 @@ func Setup() error {
 	Conn.AddTableWithName(models.User{}, "users").SetKeys(true, "Id")
 	Conn.AddTableWithName(models.Campaign{}, "campaigns").SetKeys(true, "Id")
 	Conn.AddTableWithName(models.Group{}, "groups").SetKeys(true, "Id")
-	Conn.AddTableWithName(models.GroupTarget{}, "group_target")
 	if err != nil {
 		fmt.Println("Database not found, recreating...")
 		createTablesSQL := []string{
@ -34,8 +33,9 @@ func Setup() error {
 			`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, hash VARCHAR(60) NOT NULL, api_key VARCHAR(32));`,
 			`CREATE TABLE campaigns (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, created_date TIMESTAMP NOT NULL, completed_date TIMESTAMP, template TEXT, status TEXT NOT NULL, uid INTEGER, FOREIGN KEY (uid) REFERENCES users(id));`,
 			`CREATE TABLE targets (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL);`,
-			`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL);`,
-			`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id));`,
+			`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, modified_date TIMESTAMP NOT NULL);`,
+			`CREATE TABLE user_groups (uid INTEGER NOT NULL, gid INTEGER NOT NULL, FOREIGN KEY (uid) REFERENCES users(id), FOREIGN KEY (gid) REFERENCES groups(id), UNIQUE(uid, gid))`,
+			`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id), UNIQUE(gid, tid));`,
 		}
 		fmt.Println("Creating db at " + config.Conf.DBPath)
 		//Create the tables needed
--- a/middleware/middleware.go
+++ b/middleware/middleware.go
@ -5,6 +5,7 @@ import (

 	ctx "github.com/gorilla/context"
 	"github.com/jordan-wright/gophish/auth"
+	"github.com/jordan-wright/gophish/db"
 )

 // GetContext wraps each request in a function which fills in the context for a given request.
@ -12,6 +13,11 @@ import (
 func GetContext(handler http.Handler) http.HandlerFunc {
 	// Set the context here
 	return func(w http.ResponseWriter, r *http.Request) {
+		// Parse the request form
+		err := r.ParseForm()
+		if err != nil {
+			http.Error(w, "Error parsing request", http.StatusInternalServerError)
+		}
 		// Set the context appropriately here.
 		// Set the session
 		session, _ := auth.Store.Get(r, "gophish")
@ -39,6 +45,12 @@ func RequireAPIKey(handler http.Handler) http.HandlerFunc {
 		if ak == "" {
 			JSONError(w, 500, "API Key not set")
 		} else {
+			id, err := db.Conn.SelectInt("SELECT id FROM users WHERE api_key=?", ak)
+			if id == 0 || err != nil {
+				http.Error(w, "Error: Invalid API Key", http.StatusInternalServerError)
+				return
+			}
+			ctx.Set(r, "user_id", id)
 			ctx.Set(r, "api_key", ak)
 			handler.ServeHTTP(w, r)
 		}
--- a/models/models.go
+++ b/models/models.go
@ -1,11 +1,9 @@
 package models

-import (
-	"net/mail"
+import

-	// SMTPServer is used to provide a default SMTP server preference.
-	"time"
-)
+// SMTPServer is used to provide a default SMTP server preference.
+"time"

 type SMTPServer struct {
 	Host     string `json:"host"`
@ -46,11 +44,6 @@ type Campaign struct {
 	Uid           int64     `json:"-"`
 }

-type UserCampaigns struct {
-	CampaignId int64
-	UserId     int64
-}
-
 type Result struct {
 	Id       int64
 	TargetId int64
@ -58,17 +51,14 @@ type Result struct {
 }

 type Group struct {
-	Id      int64 `json:"id"`
-	Targets []Target
-	Uid     int64
-}
-
-type GroupTarget struct {
-	Gid int64
-	Tid int64
+	Id           int64     `json:"id"`
+	Name         string    `json:"name"`
+	ModifiedDate time.Time `json:"modified_date" db:"modified_date"`
+	Targets      []Target  `json:"targets" db:"-"`
+	Uid          int64     `json:"-"`
 }

 type Target struct {
-	Id    int64        `json:"-"`
-	Email mail.Address `json:"email"`
+	Id    int64  `json:"-"`
+	Email string `json:"email"`
 }