Implement CSRF protection

frontend/src/components/store/Store.tsx

@@ -35,6 +35,10 @@ export async function installFromURL(url: string) {
   await fetch('http://localhost:1337/browser/install_plugin', {
     method: 'POST',
     body: formData,
+    credentials: 'include',
+    headers: {
+      Authentication: window.deckyAuthToken,
+    },
   });
 }
 
@@ -50,6 +54,10 @@ export function requestLegacyPluginInstall(plugin: LegacyStorePlugin, selectedVe
         fetch('http://localhost:1337/browser/install_plugin', {
           method: 'POST',
           body: formData,
+          credentials: 'include',
+          headers: {
+            Authentication: window.deckyAuthToken,
+          },
         });
       }}
       onCancel={() => {
@@ -75,6 +83,10 @@ export async function requestPluginInstall(plugin: StorePlugin, selectedVer: Sto
   await fetch('http://localhost:1337/browser/install_plugin', {
     method: 'POST',
     body: formData,
+    credentials: 'include',
+    headers: {
+      Authentication: window.deckyAuthToken,
+    },
   });
 }
 
@@ -84,12 +96,24 @@ const StorePage: FC<{}> = () => {
 
   useEffect(() => {
     (async () => {
-      const res = await fetch('https://beta.deckbrew.xyz/plugins', { method: 'GET' }).then((r) => r.json());
+      const res = await fetch('https://beta.deckbrew.xyz/plugins', {
+        method: 'GET',
+        credentials: 'include',
+        headers: {
+          Authentication: window.deckyAuthToken,
+        },
+      }).then((r) => r.json());
       console.log(res);
       setData(res.filter((x: StorePlugin) => x.name !== 'Example Plugin'));
     })();
     (async () => {
-      const res = await fetch('https://plugins.deckbrew.xyz/get_plugins', { method: 'GET' }).then((r) => r.json());
+      const res = await fetch('https://plugins.deckbrew.xyz/get_plugins', {
+        method: 'GET',
+        credentials: 'include',
+        headers: {
+          Authentication: window.deckyAuthToken,
+        },
+      }).then((r) => r.json());
       console.log(res);
       setLegacyData(res);
     })();

frontend/src/index.tsx

@@ -8,24 +8,33 @@ declare global {
     importDeckyPlugin: Function;
     syncDeckyPlugins: Function;
     deckyHasLoaded: boolean;
+    deckyAuthToken: string;
   }
 }
+(async () => {
+  window.deckyAuthToken = await fetch('http://127.0.0.1:1337/auth/token').then((r) => r.text());
 
-window.DeckyPluginLoader?.dismountAll();
-window.DeckyPluginLoader?.deinit();
+  window.DeckyPluginLoader?.dismountAll();
+  window.DeckyPluginLoader?.deinit();
 
-window.DeckyPluginLoader = new PluginLoader();
-window.importDeckyPlugin = function (name: string) {
-  window.DeckyPluginLoader?.importPlugin(name);
-};
+  window.DeckyPluginLoader = new PluginLoader();
+  window.importDeckyPlugin = function (name: string) {
+    window.DeckyPluginLoader?.importPlugin(name);
+  };
 
-window.syncDeckyPlugins = async function () {
-  const plugins = await (await fetch('http://127.0.0.1:1337/plugins')).json();
-  for (const plugin of plugins) {
-    if (!window.DeckyPluginLoader.hasPlugin(plugin)) window.DeckyPluginLoader?.importPlugin(plugin);
-  }
-};
+  window.syncDeckyPlugins = async function () {
+    const plugins = await (
+      await fetch('http://127.0.0.1:1337/plugins', {
+        credentials: 'include',
+        headers: { Authentication: window.deckyAuthToken },
+      })
+    ).json();
+    for (const plugin of plugins) {
+      if (!window.DeckyPluginLoader.hasPlugin(plugin)) window.DeckyPluginLoader?.importPlugin(plugin);
+    }
+  };
 
-setTimeout(() => window.syncDeckyPlugins(), 5000);
+  setTimeout(() => window.syncDeckyPlugins(), 5000);
 
-window.deckyHasLoaded = true;
+  window.deckyHasLoaded = true;
+})();

frontend/src/plugin-loader.tsx

@@ -75,6 +75,10 @@ class PluginLoader extends Logger {
           await fetch('http://localhost:1337/browser/uninstall_plugin', {
             method: 'POST',
             body: formData,
+            credentials: 'include',
+            headers: {
+              Authentication: window.deckyAuthToken,
+            },
           });
         }}
         onCancel={() => {
@@ -144,7 +148,12 @@ class PluginLoader extends Logger {
   }
 
   private async importReactPlugin(name: string) {
-    let res = await fetch(`http://127.0.0.1:1337/plugins/${name}/frontend_bundle`);
+    let res = await fetch(`http://127.0.0.1:1337/plugins/${name}/frontend_bundle`, {
+      credentials: 'include',
+      headers: {
+        Authentication: window.deckyAuthToken,
+      },
+    });
     if (res.ok) {
       let plugin = await eval(await res.text())(this.createPluginAPI(name));
       this.plugins.push({
@@ -166,8 +175,10 @@ class PluginLoader extends Logger {
   async callServerMethod(methodName: string, args = {}) {
     const response = await fetch(`http://127.0.0.1:1337/methods/${methodName}`, {
       method: 'POST',
+      credentials: 'include',
       headers: {
         'Content-Type': 'application/json',
+        Authentication: window.deckyAuthToken,
       },
       body: JSON.stringify(args),
     });
@@ -182,8 +193,10 @@ class PluginLoader extends Logger {
       async callPluginMethod(methodName: string, args = {}) {
         const response = await fetch(`http://127.0.0.1:1337/plugins/${pluginName}/methods/${methodName}`, {
           method: 'POST',
+          credentials: 'include',
           headers: {
             'Content-Type': 'application/json',
+            Authentication: window.deckyAuthToken,
           },
           body: JSON.stringify({
             args,

frontend/src/updater.ts

@@ -14,8 +14,10 @@ export interface DeckyUpdater {
 export async function callUpdaterMethod(methodName: string, args = {}) {
   const response = await fetch(`http://127.0.0.1:1337/updater/${methodName}`, {
     method: 'POST',
+    credentials: 'include',
     headers: {
       'Content-Type': 'application/json',
+      Authentication: window.deckyAuthToken,
     },
     body: JSON.stringify(args),
   });