updates to api protections
This commit is contained in:
+21
-3
@@ -1281,8 +1281,19 @@ function isProtectedDataPath(req) {
|
||||
}
|
||||
}
|
||||
|
||||
function isSiteSessionBootstrapPath(req) {
|
||||
if (!req.url) return false
|
||||
try {
|
||||
const pathname = new URL(req.url, `http://${req.headers.host || 'localhost'}`).pathname
|
||||
return pathname === '/api/turnstile/verify' || pathname === '/api/turnstile/session'
|
||||
} catch {
|
||||
return req.url === '/api/turnstile/verify' || req.url === '/api/turnstile/session'
|
||||
}
|
||||
}
|
||||
|
||||
function requireSiteSession(req, res) {
|
||||
if (!isProtectedDataPath(req)) return true
|
||||
if (isSiteSessionBootstrapPath(req)) return true
|
||||
|
||||
if (!SITE_SESSION_HMAC_KEY) {
|
||||
sendJson(res, 503, { error: 'Site session signing is not configured' })
|
||||
@@ -1299,6 +1310,11 @@ function requireSiteSession(req, res) {
|
||||
return false
|
||||
}
|
||||
|
||||
if (!isTurnstileSessionVerified(req)) {
|
||||
sendJson(res, 403, { error: 'Turnstile session required' })
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -2469,12 +2485,10 @@ function htmlWithSeo(req, data) {
|
||||
|
||||
function sendHtml(req, res, data, status = 200) {
|
||||
const html = htmlWithSeo(req, data)
|
||||
const siteSessionCookie = buildSiteSessionCookie(req)
|
||||
send(res, status, html, {
|
||||
...securityHeaders(req, { html: true }),
|
||||
'content-type': mimeTypes['.html'],
|
||||
'cache-control': 'no-cache',
|
||||
...(siteSessionCookie ? { 'set-cookie': siteSessionCookie } : {}),
|
||||
})
|
||||
}
|
||||
|
||||
@@ -2978,7 +2992,11 @@ const server = http.createServer((req, res) => {
|
||||
sendJson(res, 403, { error: 'Turnstile verification failed', detail: verification.error })
|
||||
return
|
||||
}
|
||||
const headers = TURNSTILE_SECRET_KEY ? { 'set-cookie': buildTurnstileSessionCookie(req) } : {}
|
||||
const cookies = [
|
||||
buildTurnstileSessionCookie(req),
|
||||
buildSiteSessionCookie(req),
|
||||
].filter(Boolean)
|
||||
const headers = cookies.length ? { 'set-cookie': cookies } : {}
|
||||
send(res, 200, JSON.stringify({ success: true, ttl: TURNSTILE_SESSION_TTL_SECONDS }), {
|
||||
...jsonHeaders,
|
||||
...headers,
|
||||
|
||||
Reference in New Issue
Block a user