Add token for the bookmarklet

This commit is contained in:
Frédéric Guillot 2014-05-28 16:44:25 -04:00
parent 4071b2bd2b
commit 3e1229a4d1
5 changed files with 28 additions and 9 deletions

View File

@ -218,14 +218,19 @@ Router\get_action('add', function() {
// Add a feed with the form or directly from the url, it can be used by a bookmarklet by example // Add a feed with the form or directly from the url, it can be used by a bookmarklet by example
Router\action('subscribe', function() { Router\action('subscribe', function() {
if (Request\param('url')) { if (Request\is_post()) {
$values = array();
$url = Request\param('url');
}
else {
$values = Request\values(); $values = Request\values();
$url = isset($values['url']) ? $values['url'] : ''; $url = isset($values['url']) ? $values['url'] : '';
} }
else {
$values = array();
$url = Request\param('url');
$token = Request\param('token');
if ($token !== Model\Config\get('bookmarklet_token')) {
Response\text('Access Forbidden', 403);
}
}
$values += array('download_content' => 0); $values += array('download_content' => 0);
$url = trim($url); $url = trim($url);

View File

@ -8,7 +8,7 @@ use PicoDb\Database;
use PicoFeed\Config as ReaderConfig; use PicoFeed\Config as ReaderConfig;
use PicoFeed\Logging; use PicoFeed\Logging;
const DB_VERSION = 25; const DB_VERSION = 26;
const HTTP_USER_AGENT = 'Miniflux (http://miniflux.net)'; const HTTP_USER_AGENT = 'Miniflux (http://miniflux.net)';
// Get PicoFeed config // Get PicoFeed config
@ -155,7 +155,7 @@ function get_nothing_to_read_redirections()
function generate_token() function generate_token()
{ {
if (function_exists('openssl_random_pseudo_bytes')) { if (function_exists('openssl_random_pseudo_bytes')) {
return bin2hex(\openssl_random_pseudo_bytes(16)); return bin2hex(\openssl_random_pseudo_bytes(25));
} }
else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') { else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30)); return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
@ -170,6 +170,7 @@ function new_tokens()
$values = array( $values = array(
'api_token' => generate_token(), 'api_token' => generate_token(),
'feed_token' => generate_token(), 'feed_token' => generate_token(),
'bookmarklet_token' => generate_token(),
); );
return Database::get('db')->table('config')->update($values); return Database::get('db')->table('config')->update($values);
@ -232,6 +233,7 @@ function get_all()
'theme', 'theme',
'api_token', 'api_token',
'feed_token', 'feed_token',
'bookmarklet_token',
'auth_google_token', 'auth_google_token',
'auth_mozilla_token', 'auth_mozilla_token',
'items_sorting_direction', 'items_sorting_direction',

View File

@ -3,6 +3,12 @@
namespace Schema; namespace Schema;
function version_26($pdo)
{
$pdo->exec('ALTER TABLE config ADD COLUMN bookmarklet_token TEXT DEFAULT "'.\Model\Config\generate_token().'"');
}
function version_25($pdo) function version_25($pdo)
{ {
$pdo->exec( $pdo->exec(

View File

@ -73,7 +73,7 @@
<ul> <ul>
<li> <li>
<?= t('Bookmarklet:') ?> <?= t('Bookmarklet:') ?>
<a href="javascript:location.href='<?= Helper\get_current_base_url() ?>?action=subscribe&amp;url='+encodeURIComponent(location.href)"><?= t('Subscribe with Miniflux') ?></a> (<?= t('Drag and drop this link to your bookmarks') ?>) <a href="javascript:location.href='<?= Helper\get_current_base_url() ?>?action=subscribe&amp;token=<?= urlencode($values['bookmarklet_token']) ?>&amp;url='+encodeURIComponent(location.href)"><?= t('Subscribe with Miniflux') ?></a> (<?= t('Drag and drop this link to your bookmarks') ?>)
<li> <li>
<?= t('Bookmarks RSS Feed:') ?> <?= t('Bookmarks RSS Feed:') ?>
<a href="<?= Helper\get_current_base_url().'?action=bookmark-feed&amp;token='.urlencode($values['feed_token']) ?>" target="_blank"><?= Helper\get_current_base_url().'?action=bookmark-feed&amp;token='.urlencode($values['feed_token']) ?></a> <a href="<?= Helper\get_current_base_url().'?action=bookmark-feed&amp;token='.urlencode($values['feed_token']) ?>" target="_blank"><?= Helper\get_current_base_url().'?action=bookmark-feed&amp;token='.urlencode($values['feed_token']) ?></a>

View File

@ -76,3 +76,9 @@ function file_move($field, $destination)
move_uploaded_file($_FILES[$field]['tmp_name'], $destination); move_uploaded_file($_FILES[$field]['tmp_name'], $destination);
} }
} }
function is_post()
{
return isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST';
}