Mirrors/cobalt
1
0
Fork 0
mirror of https://github.com/wukko/cobalt.git synced 2024-11-15 12:50:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

api: fix accept & content-type validation when not using authentication

Browse source
This commit is contained in:
dumbmoron 2024-09-17 15:37:01 +00:00
parent baddb13470
commit 29f967a3ec
No known key found for this signature in database
1 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
api/src/core/api.js
View file

@ -105,6 +105,18 @@ export const runAPI = (express, app, __dirname) => {
app.post('/', apiLimiter); app.post('/', apiLimiter);
app.use('/tunnel', apiLimiterStream); app.use('/tunnel', apiLimiterStream);
app.post('/', (req, res, next) => {
if (!acceptRegex.test(req.header('Accept'))) {
return fail(res, "error.api.header.accept");
}
if (!acceptRegex.test(req.header('Content-Type'))) {
return fail(res, "error.api.header.content_type");
}
next();
});
app.post('/', (req, res, next) => { app.post('/', (req, res, next) => {
if (!env.turnstileSecret || !env.jwtSecret) { if (!env.turnstileSecret || !env.jwtSecret) {
return next(); return next();
@ -128,14 +140,6 @@ export const runAPI = (express, app, __dirname) => {
return fail(res, "error.api.auth.jwt.invalid"); return fail(res, "error.api.auth.jwt.invalid");
} }
if (!acceptRegex.test(req.header('Accept'))) {
return fail(res, "error.api.header.accept");
}
if (!acceptRegex.test(req.header('Content-Type'))) {
return fail(res, "error.api.header.content_type");
}
req.authorized = true; req.authorized = true;
} catch { } catch {
return fail(res, "error.api.generic"); return fail(res, "error.api.generic");