From aff1a910afc917f34ccf278c87aed4aef5182659 Mon Sep 17 00:00:00 2001
From: Miroslav Pejic <miroslav.pejic.85@gmail.com>
Date: Wed, 12 Jul 2023 19:44:13 +0200
Subject: [PATCH] [mirotalksfu] - use post method for login page

---
 app/src/Server.js       | 19 ++++++++++++-------
 public/views/login.html | 19 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/app/src/Server.js b/app/src/Server.js
index feab22ab..41a42c9b 100644
--- a/app/src/Server.js
+++ b/app/src/Server.js
@@ -222,28 +222,33 @@ function startServer() {
     // main page
     app.get(['/'], (req, res) => {
         if (hostCfg.protected == true) {
-            hostCfg.authenticated = false;
-            res.sendFile(views.login);
+            const ip = getIP(req);
+            if (allowedIP(ip)) {
+                res.sendFile(views.landing);
+            } else {
+                hostCfg.authenticated = false;
+                res.sendFile(views.login);
+            }
         } else {
             res.sendFile(views.landing);
         }
     });
 
     // handle login on host protected
-    app.get(['/login'], (req, res) => {
+    app.post(['/login'], (req, res) => {
         if (hostCfg.protected == true) {
             let ip = getIP(req);
-            log.debug(`Request login to host from: ${ip}`, req.query);
-            const { username, password } = checkXSS(req.query);
+            log.debug(`Request login to host from: ${ip}`, req.body);
+            const { username, password } = checkXSS(req.body);
             if (username == hostCfg.username && password == hostCfg.password) {
                 hostCfg.authenticated = true;
                 authHost = new Host(ip, true);
                 log.debug('LOGIN OK', { ip: ip, authorized: authHost.isAuthorized(ip) });
-                res.sendFile(views.landing);
+                res.status(200).json({ message: 'authorized' });
             } else {
                 log.debug('LOGIN KO', { ip: ip, authorized: false });
                 hostCfg.authenticated = false;
-                res.sendFile(views.login);
+                res.status(401).json({ message: 'unauthorized' });
             }
         } else {
             res.redirect('/');
diff --git a/public/views/login.html b/public/views/login.html
index 924b3c95..1ed3f902 100644
--- a/public/views/login.html
+++ b/public/views/login.html
@@ -45,7 +45,12 @@
         <script src="https://unpkg.com/scrollreveal@4.0.0/dist/scrollreveal.min.js"></script>
 
         <!-- xss -->
+
         <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
+
+        <!-- axios -->
+
+        <script type="text/javascript" src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
     </head>
     <body class="is-boxed has-animations">
         <div class="body-wrap">
@@ -124,7 +129,19 @@
                                         const password = filterXSS(document.getElementById('password').value);
 
                                         if (username && password) {
-                                            window.location.href = `/login?username=${username}&password=${password}`;
+                                            axios
+                                                .post('/login', {
+                                                    username: username,
+                                                    password: password,
+                                                })
+                                                .then(function (response) {
+                                                    console.log(response);
+                                                    window.location.href = '/';
+                                                })
+                                                .catch(function (error) {
+                                                    console.error(error);
+                                                    alert('Unauthorized');
+                                                });
                                             return;
                                         }
                                         if (!username && !password) {