diff --git a/backend/server/main/settings.py b/backend/server/main/settings.py index 77c3067..a185178 100644 --- a/backend/server/main/settings.py +++ b/backend/server/main/settings.py @@ -50,6 +50,7 @@ INSTALLED_APPS = ( "allauth_ui", 'allauth', 'allauth.account', + 'allauth.mfa', 'allauth.headless', 'allauth.socialaccount', "widget_tweaks", diff --git a/frontend/src/routes/collections/+page.server.ts b/frontend/src/routes/collections/+page.server.ts index e0cd851..8e2dac7 100644 --- a/frontend/src/routes/collections/+page.server.ts +++ b/frontend/src/routes/collections/+page.server.ts @@ -152,34 +152,9 @@ export const actions: Actions = { formDataToSend.append('end_date', end_date || ''); formDataToSend.append('link', link || ''); - let auth = event.cookies.get('auth'); + let sessionId = event.cookies.get('sessionid'); - if (!auth) { - const refresh = event.cookies.get('refresh'); - if (!refresh) { - return { - status: 401, - body: { message: 'Unauthorized' } - }; - } - let res = await tryRefreshToken(refresh); - if (res) { - auth = res; - event.cookies.set('auth', auth, { - httpOnly: true, - sameSite: 'lax', - expires: new Date(Date.now() + 60 * 60 * 1000), // 60 minutes - path: '/' - }); - } else { - return { - status: 401, - body: { message: 'Unauthorized' } - }; - } - } - - if (!auth) { + if (!sessionId) { return { status: 401, body: { message: 'Unauthorized' } @@ -199,9 +174,10 @@ export const actions: Actions = { method: 'PATCH', headers: { 'X-CSRFToken': csrfToken, - Cookie: auth + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}` }, - body: formDataToSend + body: formDataToSend, + credentials: 'include' }); if (!res.ok) { @@ -218,6 +194,10 @@ export const actions: Actions = { }, get: async (event) => { if (!event.locals.user) { + return { + status: 401, + body: { message: 'Unauthorized' } + }; } const formData = await event.request.formData(); @@ -240,19 +220,20 @@ export const actions: Actions = { let previous = null; let count = 0; - let visitedFetch = await fetch( + let collectionsFetch = await fetch( `${serverEndpoint}/api/collections/?order_by=${order_by}&order_direction=${order_direction}`, { headers: { - Cookie: `${event.cookies.get('auth')}` - } + Cookie: `sessionid=${event.cookies.get('sessionid')}` + }, + credentials: 'include' } ); - if (!visitedFetch.ok) { + if (!collectionsFetch.ok) { console.error('Failed to fetch visited adventures'); return redirect(302, '/login'); } else { - let res = await visitedFetch.json(); + let res = await collectionsFetch.json(); let visited = res.results as Adventure[]; next = res.next; previous = res.previous; @@ -309,15 +290,16 @@ export const actions: Actions = { } const fullUrl = `${serverEndpoint}${url}`; - console.log(fullUrl); - console.log(serverEndpoint); + + let sessionId = event.cookies.get('sessionid'); try { const response = await fetch(fullUrl, { headers: { 'Content-Type': 'application/json', - Cookie: `${event.cookies.get('auth')}` - } + Cookie: `sessionid=${sessionId}` + }, + credentials: 'include' }); if (!response.ok) { diff --git a/frontend/src/routes/collections/[id]/+page.server.ts b/frontend/src/routes/collections/[id]/+page.server.ts index 80d7ef9..a7af726 100644 --- a/frontend/src/routes/collections/[id]/+page.server.ts +++ b/frontend/src/routes/collections/[id]/+page.server.ts @@ -6,9 +6,10 @@ const endpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; export const load = (async (event) => { const id = event.params as { id: string }; + let sessionid = event.cookies.get('sessionid'); let request = await fetch(`${endpoint}/api/collections/${id.id}/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionid}` } }); if (!request.ok) { @@ -30,7 +31,7 @@ export const load = (async (event) => { }) satisfies PageServerLoad; import type { Actions } from '@sveltejs/kit'; -import { tryRefreshToken } from '$lib/index.server'; +import { fetchCSRFToken, tryRefreshToken } from '$lib/index.server'; const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; @@ -39,31 +40,6 @@ export const actions: Actions = { const id = event.params as { id: string }; const adventureId = id.id; - if (!event.locals.user) { - const refresh = event.cookies.get('refresh'); - let auth = event.cookies.get('auth'); - if (!refresh) { - return { - status: 401, - body: { message: 'Unauthorized' } - }; - } - let res = await tryRefreshToken(refresh); - if (res) { - auth = res; - event.cookies.set('auth', auth, { - httpOnly: true, - sameSite: 'lax', - expires: new Date(Date.now() + 60 * 60 * 1000), // 60 minutes - path: '/' - }); - } else { - return { - status: 401, - body: { message: 'Unauthorized' } - }; - } - } if (!adventureId) { return { status: 400, @@ -71,15 +47,27 @@ export const actions: Actions = { }; } + let sessionId = event.cookies.get('sessionid'); + + if (!sessionId) { + return { + status: 401, + error: new Error('Unauthorized') + }; + } + + let csrfToken = await fetchCSRFToken(); + let res = await fetch(`${serverEndpoint}/api/collections/${event.params.id}`, { method: 'DELETE', headers: { - Cookie: `${event.cookies.get('auth')}`, - 'Content-Type': 'application/json' - } + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`, + 'Content-Type': 'application/json', + 'X-CSRFToken': csrfToken + }, + credentials: 'include' }); - console.log(res); if (!res.ok) { return { status: res.status, diff --git a/frontend/src/routes/collections/archived/+page.server.ts b/frontend/src/routes/collections/archived/+page.server.ts index c951a3a..7b0f8c5 100644 --- a/frontend/src/routes/collections/archived/+page.server.ts +++ b/frontend/src/routes/collections/archived/+page.server.ts @@ -8,13 +8,11 @@ export const load = (async (event) => { if (!event.locals.user) { return redirect(302, '/login'); } else { - let next = null; - let previous = null; - let count = 0; + let sessionId = event.cookies.get('sessionid'); let adventures: Adventure[] = []; let initialFetch = await fetch(`${serverEndpoint}/api/collections/archived/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!initialFetch.ok) { diff --git a/frontend/src/routes/map/+page.server.ts b/frontend/src/routes/map/+page.server.ts index 98d036c..96db704 100644 --- a/frontend/src/routes/map/+page.server.ts +++ b/frontend/src/routes/map/+page.server.ts @@ -8,15 +8,16 @@ export const load = (async (event) => { if (!event.locals.user) { return redirect(302, '/login'); } else { + let sessionId = event.cookies.get('sessionid'); let visitedFetch = await fetch(`${endpoint}/api/adventures/all/?include_collections=true`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); let visitedRegionsFetch = await fetch(`${endpoint}/api/visitedregion/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); diff --git a/frontend/src/routes/profile/+page.server.ts b/frontend/src/routes/profile/+page.server.ts index 2e4e39a..825a867 100644 --- a/frontend/src/routes/profile/+page.server.ts +++ b/frontend/src/routes/profile/+page.server.ts @@ -4,15 +4,16 @@ const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; export const load: PageServerLoad = async (event: RequestEvent) => { const endpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; - if (!event.locals.user || !event.cookies.get('auth')) { + if (!event.locals.user || !event.cookies.get('sessionid')) { return redirect(302, '/login'); } + let sessionId = event.cookies.get('sessionid'); let stats = null; let res = await event.fetch(`${endpoint}/api/stats/counts/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) { diff --git a/frontend/src/routes/search/+page.server.ts b/frontend/src/routes/search/+page.server.ts index cf8c4f6..8ff7e23 100644 --- a/frontend/src/routes/search/+page.server.ts +++ b/frontend/src/routes/search/+page.server.ts @@ -14,12 +14,14 @@ export const load = (async (event) => { return { data: [] }; } + let sessionId = event.cookies.get('sessionid'); + let res = await fetch( `${serverEndpoint}/api/adventures/search/?query=${query}&property=${property}`, { headers: { 'Content-Type': 'application/json', - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } } ); diff --git a/frontend/src/routes/settings/+page.server.ts b/frontend/src/routes/settings/+page.server.ts index 9b97697..0409ce7 100644 --- a/frontend/src/routes/settings/+page.server.ts +++ b/frontend/src/routes/settings/+page.server.ts @@ -2,18 +2,20 @@ import { fail, redirect, type Actions } from '@sveltejs/kit'; import type { PageServerLoad } from '../$types'; const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; import type { User } from '$lib/types'; +import { fetchCSRFToken } from '$lib/index.server'; const endpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; export const load: PageServerLoad = async (event) => { if (!event.locals.user) { return redirect(302, '/'); } - if (!event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + if (!sessionId) { return redirect(302, '/'); } let res = await fetch(`${endpoint}/auth/user/`, { headers: { - Cookie: event.cookies.get('auth') || '' + Cookie: `sessionid=${sessionId}` } }); let user = (await res.json()) as User; @@ -34,7 +36,8 @@ export const actions: Actions = { if (!event.locals.user) { return redirect(302, '/'); } - if (!event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + if (!sessionId) { return redirect(302, '/'); } @@ -49,7 +52,7 @@ export const actions: Actions = { const resCurrent = await fetch(`${endpoint}/auth/user/`, { headers: { - Cookie: event.cookies.get('auth') || '' + Cookie: `sessionid=${sessionId}` } }); @@ -94,10 +97,13 @@ export const actions: Actions = { } formDataToSend.append('public_profile', public_profile.toString()); + let csrfToken = await fetchCSRFToken(); + let res = await fetch(`${endpoint}/auth/user/`, { method: 'PATCH', headers: { - Cookie: event.cookies.get('auth') || '' + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`, + 'X-CSRFToken': csrfToken }, body: formDataToSend }); @@ -120,7 +126,8 @@ export const actions: Actions = { if (!event.locals.user) { return redirect(302, '/'); } - if (!event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + if (!sessionId) { return redirect(302, '/'); } console.log('changePassword'); @@ -133,10 +140,13 @@ export const actions: Actions = { return fail(400, { message: 'Passwords do not match' }); } + let csrfToken = await fetchCSRFToken(); + let res = await fetch(`${endpoint}/auth/password/change/`, { method: 'POST', headers: { - Cookie: event.cookies.get('auth') || '', + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`, + 'X-CSRFToken': csrfToken, 'Content-Type': 'application/json' }, body: JSON.stringify({ @@ -153,7 +163,8 @@ export const actions: Actions = { if (!event.locals.user) { return redirect(302, '/'); } - if (!event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + if (!sessionId) { return redirect(302, '/'); } const formData = await event.request.formData(); @@ -161,11 +172,13 @@ export const actions: Actions = { if (!new_email) { return fail(400, { message: 'Email is required' }); } else { + let csrfToken = await fetchCSRFToken(); let res = await fetch(`${endpoint}/auth/change-email/`, { method: 'POST', headers: { - Cookie: event.cookies.get('auth') || '', - 'Content-Type': 'application/json' + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`, + 'Content-Type': 'application/json', + 'X-CSRFToken': csrfToken }, body: JSON.stringify({ new_email diff --git a/frontend/src/routes/shared/+page.server.ts b/frontend/src/routes/shared/+page.server.ts index b40dbac..d5c1337 100644 --- a/frontend/src/routes/shared/+page.server.ts +++ b/frontend/src/routes/shared/+page.server.ts @@ -8,9 +8,10 @@ export const load = (async (event) => { if (!event.locals.user) { return redirect(302, '/login'); } else { + let sessionId = event.cookies.get('sessionid'); let res = await fetch(`${serverEndpoint}/api/collections/shared/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) { diff --git a/frontend/src/routes/user/[uuid]/+page.server.ts b/frontend/src/routes/user/[uuid]/+page.server.ts index 882082f..aa374c3 100644 --- a/frontend/src/routes/user/[uuid]/+page.server.ts +++ b/frontend/src/routes/user/[uuid]/+page.server.ts @@ -4,7 +4,8 @@ const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; export const load = (async (event) => { - if (!event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + if (!sessionId) { return redirect(302, '/login'); } const uuid = event.params.uuid; @@ -13,7 +14,7 @@ export const load = (async (event) => { } let res = await fetch(`${serverEndpoint}/auth/user/${uuid}/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) { diff --git a/frontend/src/routes/users/+page.server.ts b/frontend/src/routes/users/+page.server.ts index 4aa6573..3fe2574 100644 --- a/frontend/src/routes/users/+page.server.ts +++ b/frontend/src/routes/users/+page.server.ts @@ -4,13 +4,14 @@ const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; export const load = (async (event) => { - if (!event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + if (!sessionId) { return redirect(302, '/login'); } const res = await fetch(`${serverEndpoint}/auth/users/`, { headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) { diff --git a/frontend/src/routes/worldtravel/+page.server.ts b/frontend/src/routes/worldtravel/+page.server.ts index fefd08d..ec696bf 100644 --- a/frontend/src/routes/worldtravel/+page.server.ts +++ b/frontend/src/routes/worldtravel/+page.server.ts @@ -2,6 +2,7 @@ const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; import type { Country } from '$lib/types'; import { redirect, type Actions } from '@sveltejs/kit'; import type { PageServerLoad } from './$types'; +import { fetchCSRFToken } from '$lib/index.server'; const endpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; @@ -11,6 +12,9 @@ export const load = (async (event) => { } else { const res = await event.fetch(`${endpoint}/api/countries/`, { method: 'GET', + headers: { + Cookie: `sessionid=${event.cookies.get('sessionid')}` + }, credentials: 'include' }); if (!res.ok) { @@ -25,8 +29,6 @@ export const load = (async (event) => { }; } } - - return {}; }) satisfies PageServerLoad; export const actions: Actions = { @@ -39,15 +41,20 @@ export const actions: Actions = { }; } - if (!event.locals.user || !event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + + if (!event.locals.user || !sessionId) { return redirect(302, '/login'); } + let csrfToken = await fetchCSRFToken(); + const res = await fetch(`${endpoint}/api/visitedregion/`, { method: 'POST', headers: { - Cookie: `${event.cookies.get('auth')}`, - 'Content-Type': 'application/json' + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`, + 'Content-Type': 'application/json', + 'X-CSRFToken': csrfToken }, body: JSON.stringify({ region: body.regionId }) }); @@ -73,15 +80,20 @@ export const actions: Actions = { const visitId = body.visitId as number; - if (!event.locals.user || !event.cookies.get('auth')) { + let sessionId = event.cookies.get('sessionid'); + + if (!event.locals.user || !sessionId) { return redirect(302, '/login'); } + let csrfToken = await fetchCSRFToken(); + const res = await fetch(`${endpoint}/api/visitedregion/${visitId}/`, { method: 'DELETE', headers: { - Cookie: `${event.cookies.get('auth')}`, - 'Content-Type': 'application/json' + Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`, + 'Content-Type': 'application/json', + 'X-CSRFToken': csrfToken } }); diff --git a/frontend/src/routes/worldtravel/[id]/+page.server.ts b/frontend/src/routes/worldtravel/[id]/+page.server.ts index b13ad43..2b00f3c 100644 --- a/frontend/src/routes/worldtravel/[id]/+page.server.ts +++ b/frontend/src/routes/worldtravel/[id]/+page.server.ts @@ -12,10 +12,16 @@ export const load = (async (event) => { let visitedRegions: VisitedRegion[] = []; let country: Country; + let sessionId = event.cookies.get('sessionid'); + + if (!sessionId) { + return redirect(302, '/login'); + } + let res = await fetch(`${endpoint}/api/${id}/regions/`, { method: 'GET', headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) { @@ -28,7 +34,7 @@ export const load = (async (event) => { res = await fetch(`${endpoint}/api/${id}/visits/`, { method: 'GET', headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) { @@ -41,7 +47,7 @@ export const load = (async (event) => { res = await fetch(`${endpoint}/api/countries/${regions[0].country}/`, { method: 'GET', headers: { - Cookie: `${event.cookies.get('auth')}` + Cookie: `sessionid=${sessionId}` } }); if (!res.ok) {