fix: check subdomain earlier for /apps

2024-11-14 22:06:00 +00:00 · 2024-05-28 15:51:22 -04:00 · 2024-05-28 15:51:22 -04:00 · 4e3a24e609
commit 4e3a24e609
parent c495ccff65
2 changed files with 37 additions and 5 deletions
--- a/packages/backend/src/middleware/subdomain.js
+++ b/packages/backend/src/middleware/subdomain.js
@ -0,0 +1,27 @@
+/**
+ * This middleware checks the subdomain, and if the subdomain doesn't
+ * match it calls `next('route')` to skip the current route.
+ * Be sure to use this before any middleware that might erroneously
+ * block the request.
+ * 
+ * @param {string|string[]} allowedSubdomains - The subdomain to allow;
+ *    if an array, any of the subdomains in the array will be allowed.
+ * 
+ * @returns {function} - An express middleware function
+ */
+const subdomain = allowedSubdomains => {
+    if ( ! Array.isArray(allowedSubdomains) ) {
+        allowedSubdomains = [allowedSubdomains];
+    }
+    return async (req, res, next) => {
+        // Note: at the time of implementing this, there is a config
+        // option called `experimental_no_subdomain` that is designed
+        // to lie and tell us the subdomain is `api` when it's not.
+        const actual_subdomain = require('../helpers').subdomain(req);
+        if ( ! allowedSubdomains.includes(actual_subdomain) ) {
+            next('route');
+        }
+    };
+}
+
+module.exports = subdomain;
--- a/packages/backend/src/routers/apps.js
+++ b/packages/backend/src/routers/apps.js
@ -23,14 +23,15 @@ const auth = require('../middleware/auth.js');
 const config = require('../config');
 const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers');
 const { DB_WRITE, DB_READ } = require('../services/database/consts.js');
+const subdomain = require('../middleware/subdomain.js');

 // -----------------------------------------------------------------------//
 // GET /apps
 // -----------------------------------------------------------------------//
-router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
-    // check subdomain
-    if(require('../helpers').subdomain(req) !== 'api')
-        next();
+router.get('/apps',
+    subdomain('api'),
+    auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+    // /!\ open brace on end of previous line

    // check if user is verified
    if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
@ -88,7 +89,11 @@ router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=
 // -----------------------------------------------------------------------//
 // GET /apps/:name(s)
 // -----------------------------------------------------------------------//
-router.get('/apps/:name', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+router.get('/apps/:name',
+    subdomain('api'),
+    auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+    // /!\ open brace on end of previous line
+
    // check subdomain
    if(require('../helpers').subdomain(req) !== 'api')
        next();