diff --git a/packages/backend/src/middleware/subdomain.js b/packages/backend/src/middleware/subdomain.js new file mode 100644 index 00000000..fcb4a8ec --- /dev/null +++ b/packages/backend/src/middleware/subdomain.js @@ -0,0 +1,27 @@ +/** + * This middleware checks the subdomain, and if the subdomain doesn't + * match it calls `next('route')` to skip the current route. + * Be sure to use this before any middleware that might erroneously + * block the request. + * + * @param {string|string[]} allowedSubdomains - The subdomain to allow; + * if an array, any of the subdomains in the array will be allowed. + * + * @returns {function} - An express middleware function + */ +const subdomain = allowedSubdomains => { + if ( ! Array.isArray(allowedSubdomains) ) { + allowedSubdomains = [allowedSubdomains]; + } + return async (req, res, next) => { + // Note: at the time of implementing this, there is a config + // option called `experimental_no_subdomain` that is designed + // to lie and tell us the subdomain is `api` when it's not. + const actual_subdomain = require('../helpers').subdomain(req); + if ( ! allowedSubdomains.includes(actual_subdomain) ) { + next('route'); + } + }; +} + +module.exports = subdomain; diff --git a/packages/backend/src/routers/apps.js b/packages/backend/src/routers/apps.js index 17572c1f..1aa5896e 100644 --- a/packages/backend/src/routers/apps.js +++ b/packages/backend/src/routers/apps.js @@ -23,14 +23,15 @@ const auth = require('../middleware/auth.js'); const config = require('../config'); const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers'); const { DB_WRITE, DB_READ } = require('../services/database/consts.js'); +const subdomain = require('../middleware/subdomain.js'); // -----------------------------------------------------------------------// // GET /apps // -----------------------------------------------------------------------// -router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=>{ - // check subdomain - if(require('../helpers').subdomain(req) !== 'api') - next(); +router.get('/apps', + subdomain('api'), + auth, express.json({limit: '50mb'}), async (req, res, next)=>{ + // /!\ open brace on end of previous line // check if user is verified if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed) @@ -88,7 +89,11 @@ router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)= // -----------------------------------------------------------------------// // GET /apps/:name(s) // -----------------------------------------------------------------------// -router.get('/apps/:name', auth, express.json({limit: '50mb'}), async (req, res, next)=>{ +router.get('/apps/:name', + subdomain('api'), + auth, express.json({limit: '50mb'}), async (req, res, next)=>{ + // /!\ open brace on end of previous line + // check subdomain if(require('../helpers').subdomain(req) !== 'api') next();