aceberg
Secure API endpoints with CORS
I found that the api endpoints can be accessed easily from every host in the local network; for example accessing the history on http://HOST:8840/api/history/ is easy, we also get to know the ID field and this could be used on the other api endpoints.
I saw in the discussion that authentication, for now, isn't supported, however I think that starting to make the app more secure is important and could make the app more trusted.
What should change
Frontend
There are two api calls made on the frontend, inside index.js:
...
async function loadAddrs() {
const url = '/api/all';
addrsArray = await (await fetch(url)).json();
bkpArray = addrsArray;
field = localStorage.getItem("sortField");
down = JSON.parse(localStorage.getItem("sortDown"));
checkNotEmpty(addrsArray);
}
...
async function editForm(id, known) {
const name = document.getElementById("name"+id).value;
const url = '/api/edit/'+id+'/'+name+'/'+known;
// console.log(url);
await fetch(url);
}
There should be some endpoint exposed that internally makes requests to those api endpoints, for example /load (or similar) could be used for /api/all; I am still not sure about editForm.
Backend
Inside /internal/web/web.gui
func Gui(dirPath, nodePath string) {
...
router := gin.New()
router.Use(gin.Recovery())
I am still not familiar with gin, however the Recover middleware could be combined with a custom cors.New(cors.Config{...}) middleware in some way.
