From 4e3a24e6093e279e210765e07e436f4e63b74072 Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Tue, 28 May 2024 15:51:22 -0400
Subject: [PATCH] fix: check subdomain earlier for /apps

---
 packages/backend/src/middleware/subdomain.js | 27 ++++++++++++++++++++
 packages/backend/src/routers/apps.js         | 15 +++++++----
 2 files changed, 37 insertions(+), 5 deletions(-)
 create mode 100644 packages/backend/src/middleware/subdomain.js

diff --git a/packages/backend/src/middleware/subdomain.js b/packages/backend/src/middleware/subdomain.js
new file mode 100644
index 00000000..fcb4a8ec
--- /dev/null
+++ b/packages/backend/src/middleware/subdomain.js
@@ -0,0 +1,27 @@
+/**
+ * This middleware checks the subdomain, and if the subdomain doesn't
+ * match it calls `next('route')` to skip the current route.
+ * Be sure to use this before any middleware that might erroneously
+ * block the request.
+ * 
+ * @param {string|string[]} allowedSubdomains - The subdomain to allow;
+ *    if an array, any of the subdomains in the array will be allowed.
+ * 
+ * @returns {function} - An express middleware function
+ */
+const subdomain = allowedSubdomains => {
+    if ( ! Array.isArray(allowedSubdomains) ) {
+        allowedSubdomains = [allowedSubdomains];
+    }
+    return async (req, res, next) => {
+        // Note: at the time of implementing this, there is a config
+        // option called `experimental_no_subdomain` that is designed
+        // to lie and tell us the subdomain is `api` when it's not.
+        const actual_subdomain = require('../helpers').subdomain(req);
+        if ( ! allowedSubdomains.includes(actual_subdomain) ) {
+            next('route');
+        }
+    };
+}
+
+module.exports = subdomain;
diff --git a/packages/backend/src/routers/apps.js b/packages/backend/src/routers/apps.js
index 17572c1f..1aa5896e 100644
--- a/packages/backend/src/routers/apps.js
+++ b/packages/backend/src/routers/apps.js
@@ -23,14 +23,15 @@ const auth = require('../middleware/auth.js');
 const config = require('../config');
 const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers');
 const { DB_WRITE, DB_READ } = require('../services/database/consts.js');
+const subdomain = require('../middleware/subdomain.js');
 
 // -----------------------------------------------------------------------//
 // GET /apps
 // -----------------------------------------------------------------------//
-router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
-    // check subdomain
-    if(require('../helpers').subdomain(req) !== 'api')
-        next();
+router.get('/apps',
+    subdomain('api'),
+    auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+    // /!\ open brace on end of previous line
 
     // check if user is verified
     if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
@@ -88,7 +89,11 @@ router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=
 // -----------------------------------------------------------------------//
 // GET /apps/:name(s)
 // -----------------------------------------------------------------------//
-router.get('/apps/:name', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+router.get('/apps/:name',
+    subdomain('api'),
+    auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+    // /!\ open brace on end of previous line
+
     // check subdomain
     if(require('../helpers').subdomain(req) !== 'api')
         next();