From: Dessalines Date: Tue, 1 Dec 2020 17:48:39 +0000 (-0500) Subject: Making sure image uploads have jwt cookie. Fixes #1291 (#1299) X-Git-Url: http://these/git/%7B%60%24%7BwebArchiveUrl%7D/%22%7B%7D/readmes/%7B%7D/%22%7Burl%7D/%7Biframely.url%7D?a=commitdiff_plain;h=45efa94ba46ca70f20cb37fd8908be76bbb65dac;p=lemmy.git Making sure image uploads have jwt cookie. Fixes #1291 (#1299) --- diff --git a/src/routes/images.rs b/src/routes/images.rs index deaf11eb..eb3a773f 100644 --- a/src/routes/images.rs +++ b/src/routes/images.rs @@ -1,6 +1,7 @@ use actix::clock::Duration; use actix_web::{body::BodyStream, http::StatusCode, *}; use awc::Client; +use lemmy_api::claims::Claims; use lemmy_rate_limit::RateLimit; use lemmy_utils::settings::Settings; use serde::{Deserialize, Serialize}; @@ -46,7 +47,14 @@ async fn upload( body: web::Payload, client: web::Data, ) -> Result { - // TODO: check auth and rate limit here + // TODO: check rate limit here + let jwt = req + .cookie("jwt") + .expect("No auth header for picture upload"); + + if Claims::decode(jwt.value()).is_err() { + return Ok(HttpResponse::Unauthorized().finish()); + }; let mut res = client .request_from(format!("{}/image", Settings::get().pictrs_url), req.head())