🐛 fix: try to implement better ssrf-protect (#4044)

arvinxx · web-flow · commit e960a23b0c69 · 2024-09-20T23:46:21.000+08:00
* 🐛 fix: try to implement better ssrf-protect

* 🐛 fix: fix error

* 💄 style: improve pwa
diff --git a/package.json b/package.json
@@ -203,6 +203,7 @@
     "remark": "^14.0.3",
     "remark-gfm": "^3.0.1",
     "remark-html": "^15.0.2",
+    "request-filtering-agent": "^2.0.1",
     "resolve-accept-language": "^3.1.5",
     "rtl-detect": "^1.1.2",
     "semver": "^7.6.3",
diff --git a/src/app/api/proxy/route.ts b/src/app/api/proxy/route.ts
diff --git a/src/app/webapi/proxy/route.ts b/src/app/webapi/proxy/route.ts
@@ -0,0 +1,19 @@
+import { NextResponse } from 'next/server';
+import fetch from 'node-fetch';
+import { useAgent as ssrfAgent } from 'request-filtering-agent';
+
+/**
+ * just for a proxy
+ */
+export const POST = async (req: Request) => {
+  const url = await req.text();
+
+  try {
+    const res = await fetch(url, { agent: ssrfAgent(url) });
+
+    return new Response(await res.arrayBuffer(), { headers: { ...res.headers } });
+  } catch (err) {
+    console.error(err); // DNS lookup 127.0.0.1(family:4, host:127.0.0.1.nip.io) is not allowed. Because, It is private IP address.
+    return NextResponse.json({ error: 'Not support internal host proxy' }, { status: 400 });
+  }
+};
diff --git a/src/server/routers/lambda/user.ts b/src/server/routers/lambda/user.ts
@@ -63,7 +63,7 @@ export const userRouter = router({
     const sessionCount = await sessionModel.count();
 
     return {
-      canEnablePWAGuide: messageCount >= 2,
+      canEnablePWAGuide: messageCount >= 4,
       canEnableTrace: messageCount >= 4,
       // 有消息，或者创建过助手，则认为有 conversation
       hasConversation: messageCount > 0 || sessionCount > 1,
diff --git a/src/services/_url.ts b/src/services/_url.ts
@@ -1,4 +1,4 @@
-// TODO: 未来路由需要迁移到 trpc or /webapi
+// TODO: 未来所有核心路由需要迁移到 trpc，部分不需要迁移的则走 webapi
 
 /* eslint-disable sort-keys-fix/sort-keys-fix */
 import { transform } from 'lodash-es';
@@ -17,7 +17,7 @@ const mapWithBasePath = <T extends object>(apis: T): T => {
 };
 
 export const API_ENDPOINTS = mapWithBasePath({
-  proxy: '/api/proxy',
+  proxy: '/webapi/proxy',
   oauth: '/api/auth',
 
   // agent markets
diff --git a/src/services/user/client.ts b/src/services/user/client.ts
@@ -23,7 +23,7 @@ export class ClientService implements IUserService {
 
     return {
       avatar: user.avatar,
-      canEnablePWAGuide: messageCount >= 2,
+      canEnablePWAGuide: messageCount >= 4,
       canEnableTrace: messageCount >= 4,
       hasConversation: messageCount > 0 || sessionCount > 0,
       isOnboard: true,
