Making sure image uploads have jwt cookie. Fixes #1291 (#1299)

author Dessalines <dessalines@users.noreply.github.com>

Tue, 1 Dec 2020 17:48:39 +0000 (12:48 -0500)

committer GitHub <noreply@github.com>

Tue, 1 Dec 2020 17:48:39 +0000 (17:48 +0000)
author Dessalines <dessalines@users.noreply.github.com>
Tue, 1 Dec 2020 17:48:39 +0000 (12:48 -0500)
committer GitHub <noreply@github.com>
Tue, 1 Dec 2020 17:48:39 +0000 (17:48 +0000)
diff --git a/src/routes/images.rs b/src/routes/images.rs

index deaf11ebf6e031f1ebae643f849e56084fb80a93..eb3a773f97639c604247c92eeebcf56e9886d50e 100644 (file)
--- a/src/routes/images.rs
+++ b/src/routes/images.rs
@@ -1,6 +1,7 @@
  use actix::clock::Duration;
  use actix_web::{body::BodyStream, http::StatusCode, *};
  use awc::Client;
+use lemmy_api::claims::Claims;
  use lemmy_rate_limit::RateLimit;
  use lemmy_utils::settings::Settings;
  use serde::{Deserialize, Serialize};
@@ -46,7 +47,14 @@ async fn upload(
    body: web::Payload,
    client: web::Data<Client>,
  ) -> Result<HttpResponse, Error> {
-  // TODO: check auth and rate limit here
+  // TODO: check rate limit here
+  let jwt = req
+    .cookie("jwt")
+    .expect("No auth header for picture upload");
+
+  if Claims::decode(jwt.value()).is_err() {
+    return Ok(HttpResponse::Unauthorized().finish());
+  };
  
    let mut res = client
      .request_from(format!("{}/image", Settings::get().pictrs_url), req.head())
author	Dessalines <dessalines@users.noreply.github.com>
	Tue, 1 Dec 2020 17:48:39 +0000 (12:48 -0500)
committer	GitHub <noreply@github.com>
	Tue, 1 Dec 2020 17:48:39 +0000 (17:48 +0000)