From 0eb78d530376c43d228e3e071e032fe9849149ed Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Sat, 1 Oct 2016 09:09:07 +0200 Subject: Server: do not forget to check the signature when another pod wants to quit us --- server/controllers/api/v1/pods.js | 7 ++++++- server/controllers/api/v1/remote.js | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'server/controllers') diff --git a/server/controllers/api/v1/pods.js b/server/controllers/api/v1/pods.js index 2bdfe0c92..d509db964 100644 --- a/server/controllers/api/v1/pods.js +++ b/server/controllers/api/v1/pods.js @@ -10,6 +10,7 @@ const friends = require('../../../lib/friends') const middlewares = require('../../../middlewares') const admin = middlewares.admin const oAuth = middlewares.oauth +const checkSignature = middlewares.secure.checkSignature const validators = middlewares.validators.pods const signatureValidator = middlewares.validators.remote.signature @@ -31,7 +32,11 @@ router.get('/quitfriends', quitFriends ) // Post because this is a secured request -router.post('/remove', signatureValidator, removePods) +router.post('/remove', + signatureValidator, + checkSignature, + removePods +) // --------------------------------------------------------------------------- diff --git a/server/controllers/api/v1/remote.js b/server/controllers/api/v1/remote.js index f452986b8..a22c5d151 100644 --- a/server/controllers/api/v1/remote.js +++ b/server/controllers/api/v1/remote.js @@ -16,6 +16,7 @@ const Video = mongoose.model('Video') router.post('/videos', validators.signature, validators.dataToDecrypt, + secureMiddleware.checkSignature, secureMiddleware.decryptBody, validators.remoteVideos, remoteVideos -- cgit v1.2.3