updates to api protections

This commit is contained in:
Clippii
2026-06-28 16:01:57 +01:00
parent a274313ad1
commit 109eeebfb1
4 changed files with 32 additions and 10 deletions
+21 -3
View File
@@ -1281,8 +1281,19 @@ function isProtectedDataPath(req) {
}
}
function isSiteSessionBootstrapPath(req) {
if (!req.url) return false
try {
const pathname = new URL(req.url, `http://${req.headers.host || 'localhost'}`).pathname
return pathname === '/api/turnstile/verify' || pathname === '/api/turnstile/session'
} catch {
return req.url === '/api/turnstile/verify' || req.url === '/api/turnstile/session'
}
}
function requireSiteSession(req, res) {
if (!isProtectedDataPath(req)) return true
if (isSiteSessionBootstrapPath(req)) return true
if (!SITE_SESSION_HMAC_KEY) {
sendJson(res, 503, { error: 'Site session signing is not configured' })
@@ -1299,6 +1310,11 @@ function requireSiteSession(req, res) {
return false
}
if (!isTurnstileSessionVerified(req)) {
sendJson(res, 403, { error: 'Turnstile session required' })
return false
}
return true
}
@@ -2469,12 +2485,10 @@ function htmlWithSeo(req, data) {
function sendHtml(req, res, data, status = 200) {
const html = htmlWithSeo(req, data)
const siteSessionCookie = buildSiteSessionCookie(req)
send(res, status, html, {
...securityHeaders(req, { html: true }),
'content-type': mimeTypes['.html'],
'cache-control': 'no-cache',
...(siteSessionCookie ? { 'set-cookie': siteSessionCookie } : {}),
})
}
@@ -2978,7 +2992,11 @@ const server = http.createServer((req, res) => {
sendJson(res, 403, { error: 'Turnstile verification failed', detail: verification.error })
return
}
const headers = TURNSTILE_SECRET_KEY ? { 'set-cookie': buildTurnstileSessionCookie(req) } : {}
const cookies = [
buildTurnstileSessionCookie(req),
buildSiteSessionCookie(req),
].filter(Boolean)
const headers = cookies.length ? { 'set-cookie': cookies } : {}
send(res, 200, JSON.stringify({ success: true, ttl: TURNSTILE_SESSION_TTL_SECONDS }), {
...jsonHeaders,
...headers,