fix: check subdomain earlier for /apps

KernelDeimos · KernelDeimos · commit 4e3a24e6093e · 2024-05-28T15:51:22.000-04:00
diff --git a/packages/backend/src/middleware/subdomain.js b/packages/backend/src/middleware/subdomain.js
@@ -0,0 +1,27 @@
+/**
+ * This middleware checks the subdomain, and if the subdomain doesn't
+ * match it calls `next('route')` to skip the current route.
+ * Be sure to use this before any middleware that might erroneously
+ * block the request.
+ * 
+ * @param {string|string[]} allowedSubdomains - The subdomain to allow;
+ *    if an array, any of the subdomains in the array will be allowed.
+ * 
+ * @returns {function} - An express middleware function
+ */
+const subdomain = allowedSubdomains => {
+    if ( ! Array.isArray(allowedSubdomains) ) {
+        allowedSubdomains = [allowedSubdomains];
+    }
+    return async (req, res, next) => {
+        // Note: at the time of implementing this, there is a config
+        // option called `experimental_no_subdomain` that is designed
+        // to lie and tell us the subdomain is `api` when it's not.
+        const actual_subdomain = require('../helpers').subdomain(req);
+        if ( ! allowedSubdomains.includes(actual_subdomain) ) {
+            next('route');
+        }
+    };
+}
+
+module.exports = subdomain;
diff --git a/packages/backend/src/routers/apps.js b/packages/backend/src/routers/apps.js
@@ -23,14 +23,15 @@ const auth = require('../middleware/auth.js');
 const config = require('../config');
 const { app_name_exists, refresh_apps_cache, chkperm, convert_path_to_fsentry, get_app } = require('../helpers');
 const { DB_WRITE, DB_READ } = require('../services/database/consts.js');
+const subdomain = require('../middleware/subdomain.js');
 
 // -----------------------------------------------------------------------//
 // GET /apps
 // -----------------------------------------------------------------------//
-router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
-    // check subdomain
-    if(require('../helpers').subdomain(req) !== 'api')
-        next();
+router.get('/apps',
+    subdomain('api'),
+    auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+    // /!\ open brace on end of previous line
 
     // check if user is verified
     if((config.strict_email_verification_required || req.user.requires_email_confirmation) && !req.user.email_confirmed)
@@ -88,7 +89,11 @@ router.get('/apps', auth, express.json({limit: '50mb'}), async (req, res, next)=
 // -----------------------------------------------------------------------//
 // GET /apps/:name(s)
 // -----------------------------------------------------------------------//
-router.get('/apps/:name', auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+router.get('/apps/:name',
+    subdomain('api'),
+    auth, express.json({limit: '50mb'}), async (req, res, next)=>{
+    // /!\ open brace on end of previous line
+
     // check subdomain
     if(require('../helpers').subdomain(req) !== 'api')
         next();
