fix: check subdomain earlier for /apps

This commit is contained in:
KernelDeimos 2024-05-28 15:51:22 -04:00
parent c495ccff65
commit 4e3a24e609
2 changed files with 37 additions and 5 deletions

View File

@ -0,0 +1,27 @@
/**
* This middleware checks the subdomain, and if the subdomain doesn't
* match it calls `next('route')` to skip the current route.
* Be sure to use this before any middleware that might erroneously
* block the request.
*
* @param {string|string[]} allowedSubdomains - The subdomain to allow;
* if an array, any of the subdomains in the array will be allowed.
*
* @returns {function} - An express middleware function
*/
const subdomain = allowedSubdomains => {
if ( ! Array.isArray(allowedSubdomains) ) {
allowedSubdomains = [allowedSubdomains];
}
return async (req, res, next) => {
// Note: at the time of implementing this, there is a config
// option called `experimental_no_subdomain` that is designed
// to lie and tell us the subdomain is `api` when it's not.
const actual_subdomain = require('../helpers').subdomain(req);
if ( ! allowedSubdomains.includes(actual_subdomain) ) {
next('route');
}
};
}
module.exports = subdomain;

View File

@ -23,14 +23,15 @@ const auth = require('../middleware/auth.js');
const config = require('../config'); const config = require('../config');
const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers'); const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers');
const { DB_WRITE, DB_READ } = require('../services/database/consts.js'); const { DB_WRITE, DB_READ } = require('../services/database/consts.js');
const subdomain = require('../middleware/subdomain.js');
// -----------------------------------------------------------------------// // -----------------------------------------------------------------------//
// GET /apps // GET /apps
// -----------------------------------------------------------------------// // -----------------------------------------------------------------------//
router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=>{ router.get('/apps',
// check subdomain subdomain('api'),
if(require('../helpers').subdomain(req) !== 'api') auth, express.json({limit: '50mb'}), async (req, res, next)=>{
next(); // /!\ open brace on end of previous line
// check if user is verified // check if user is verified
if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed) if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
@ -88,7 +89,11 @@ router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=
// -----------------------------------------------------------------------// // -----------------------------------------------------------------------//
// GET /apps/:name(s) // GET /apps/:name(s)
// -----------------------------------------------------------------------// // -----------------------------------------------------------------------//
router.get('/apps/:name', auth, express.json({limit: '50mb'}), async (req, res, next)=>{ router.get('/apps/:name',
subdomain('api'),
auth, express.json({limit: '50mb'}), async (req, res, next)=>{
// /!\ open brace on end of previous line
// check subdomain // check subdomain
if(require('../helpers').subdomain(req) !== 'api') if(require('../helpers').subdomain(req) !== 'api')
next(); next();