mirror of
https://github.com/HeyPuter/puter
synced 2024-11-15 06:15:47 +00:00
fix: check subdomain earlier for /apps
This commit is contained in:
parent
c495ccff65
commit
4e3a24e609
27
packages/backend/src/middleware/subdomain.js
Normal file
27
packages/backend/src/middleware/subdomain.js
Normal file
@ -0,0 +1,27 @@
|
||||
/**
|
||||
* This middleware checks the subdomain, and if the subdomain doesn't
|
||||
* match it calls `next('route')` to skip the current route.
|
||||
* Be sure to use this before any middleware that might erroneously
|
||||
* block the request.
|
||||
*
|
||||
* @param {string|string[]} allowedSubdomains - The subdomain to allow;
|
||||
* if an array, any of the subdomains in the array will be allowed.
|
||||
*
|
||||
* @returns {function} - An express middleware function
|
||||
*/
|
||||
const subdomain = allowedSubdomains => {
|
||||
if ( ! Array.isArray(allowedSubdomains) ) {
|
||||
allowedSubdomains = [allowedSubdomains];
|
||||
}
|
||||
return async (req, res, next) => {
|
||||
// Note: at the time of implementing this, there is a config
|
||||
// option called `experimental_no_subdomain` that is designed
|
||||
// to lie and tell us the subdomain is `api` when it's not.
|
||||
const actual_subdomain = require('../helpers').subdomain(req);
|
||||
if ( ! allowedSubdomains.includes(actual_subdomain) ) {
|
||||
next('route');
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
module.exports = subdomain;
|
@ -23,14 +23,15 @@ const auth = require('../middleware/auth.js');
|
||||
const config = require('../config');
|
||||
const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers');
|
||||
const { DB_WRITE, DB_READ } = require('../services/database/consts.js');
|
||||
const subdomain = require('../middleware/subdomain.js');
|
||||
|
||||
// -----------------------------------------------------------------------//
|
||||
// GET /apps
|
||||
// -----------------------------------------------------------------------//
|
||||
router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
|
||||
// check subdomain
|
||||
if(require('../helpers').subdomain(req) !== 'api')
|
||||
next();
|
||||
router.get('/apps',
|
||||
subdomain('api'),
|
||||
auth, express.json({limit: '50mb'}), async (req, res, next)=>{
|
||||
// /!\ open brace on end of previous line
|
||||
|
||||
// check if user is verified
|
||||
if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
|
||||
@ -88,7 +89,11 @@ router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=
|
||||
// -----------------------------------------------------------------------//
|
||||
// GET /apps/:name(s)
|
||||
// -----------------------------------------------------------------------//
|
||||
router.get('/apps/:name', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
|
||||
router.get('/apps/:name',
|
||||
subdomain('api'),
|
||||
auth, express.json({limit: '50mb'}), async (req, res, next)=>{
|
||||
// /!\ open brace on end of previous line
|
||||
|
||||
// check subdomain
|
||||
if(require('../helpers').subdomain(req) !== 'api')
|
||||
next();
|
||||
|
Loading…
Reference in New Issue
Block a user