Skip to content

Commit 06f6159

Browse files
StranmorStranmor
committed
fix: require JSON body on destructive admin endpoints to prevent CSRF via simple requests
1 parent 2e852e5 commit 06f6159

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

crates/http/src/handlers/admin.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,7 @@ pub async fn admin_restart(
172172
ConnectInfo(addr): ConnectInfo<SocketAddr>,
173173
headers: axum::http::HeaderMap,
174174
State(state): State<Arc<AppState>>,
175+
Json(()): Json<()>,
175176
) -> Result<Json<AdminResponse>, ApiError> {
176177
if !super::check_admin_access(&addr, &headers, &state.config) {
177178
return Err(ApiError::Forbidden("Forbidden".into()));
@@ -192,6 +193,7 @@ pub async fn rebuild_embeddings(
192193
ConnectInfo(addr): ConnectInfo<SocketAddr>,
193194
headers: axum::http::HeaderMap,
194195
State(state): State<Arc<AppState>>,
196+
Json(()): Json<()>,
195197
) -> Result<Json<AdminResponse>, ApiError> {
196198
if !super::check_admin_access(&addr, &headers, &state.config) {
197199
return Err(ApiError::Forbidden("Forbidden".into()));
@@ -212,6 +214,7 @@ pub async fn admin_shutdown(
212214
ConnectInfo(addr): ConnectInfo<SocketAddr>,
213215
headers: axum::http::HeaderMap,
214216
State(state): State<Arc<AppState>>,
217+
Json(()): Json<()>,
215218
) -> Result<Json<AdminResponse>, ApiError> {
216219
if !super::check_admin_access(&addr, &headers, &state.config) {
217220
return Err(ApiError::Forbidden("Forbidden".into()));

0 commit comments

Comments
 (0)