From ea6e14059d8904c83f16ef65dc30dfde70ca78d8 Mon Sep 17 00:00:00 2001 From: Bobby Date: Mon, 21 Mar 2022 04:48:28 -0400 Subject: force check referer before api request --- public/views/createPost.html | 60 +------------ routes/blog.js | 194 +++++++++++++++++++++++++------------------ server.js | 21 +---- 3 files changed, 117 insertions(+), 158 deletions(-) diff --git a/public/views/createPost.html b/public/views/createPost.html index 976c0e5..c205f20 100644 --- a/public/views/createPost.html +++ b/public/views/createPost.html @@ -129,65 +129,7 @@ - + \ No newline at end of file diff --git a/routes/blog.js b/routes/blog.js index 29dbb65..221aaf8 100644 --- a/routes/blog.js +++ b/routes/blog.js @@ -2,102 +2,132 @@ const firebase = require("../firebase"); const express = require("express"); const router = express.Router(); +function checkReferer(referer) { + const whitelist = ["localhost", "thatcomputerscientist"]; + if (!referer) return false; + const host = referer.split("/")[2]; + if (whitelist.some((substring) => host.includes(substring))) { + return true; + } else { + return false; + } +} + router.get("/posts", (req, res) => { - const store = firebase.firestore(); - const posts = []; - let query = store.collection("posts"); - query = query.select("slug", "tags", "title", "shortText", "publishDate"); - query - .get() - .then(function (querySnapshot) { - querySnapshot.forEach(function (doc) { - posts.push(doc.data()); + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const store = firebase.firestore(); + const posts = []; + let query = store.collection("posts"); + query = query.select("slug", "tags", "title", "shortText", "publishDate"); + query + .get() + .then(function (querySnapshot) { + querySnapshot.forEach(function (doc) { + posts.push(doc.data()); + }); + }) + .then(() => { + res.json(posts); }); - }) - .then(() => { - res.json(posts); - }); + } else { + res.status(403).send("Forbidden"); + } }); router.put("/update/:slug", (req, res) => { - const store = firebase.firestore(); - const { title, content, tags, publishDate, shortText, slug } = req.body; - const base64 = Buffer.from(content).toString("base64"); - const post = { - title, - content: base64, - tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], - publishDate, - shortText, - slug, - }; - let query = store.collection("posts"); - query = query.where("slug", "==", slug); - query - .get() - .then(function (querySnapshot) { - querySnapshot.forEach(function (doc) { - doc.ref.update({ - title: post.title, - content: post.content, - tags: post.tags, - publishDate: post.publishDate, + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const store = firebase.firestore(); + const { title, content, tags, publishDate, shortText, slug } = req.body; + const base64 = Buffer.from(content).toString("base64"); + const post = { + title, + content: base64, + tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], + publishDate, + shortText, + slug, + }; + let query = store.collection("posts"); + query = query.where("slug", "==", slug); + query + .get() + .then(function (querySnapshot) { + querySnapshot.forEach(function (doc) { + doc.ref.update({ + title: post.title, + content: post.content, + tags: post.tags, + publishDate: post.publishDate, + }); }); + }) + .then(() => { + res.json({ success: true }); + }) + .catch((err) => { + res.json({ success: false, err }); }); - }) - .then(() => { - res.json({ success: true }); - }) - .catch((err) => { - res.json({ success: false, err }); - }); + } else { + res.status(403).send("Forbidden"); + } }); router.delete("/delete/:slug", (req, res) => { - const store = firebase.firestore(); - let query = store.collection("posts"); - query = query.where("slug", "==", req.params.slug); - query - .get() - .then(function (querySnapshot) { - querySnapshot.forEach(function (doc) { - doc.ref.delete(); + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const store = firebase.firestore(); + let query = store.collection("posts"); + query = query.where("slug", "==", req.params.slug); + query + .get() + .then(function (querySnapshot) { + querySnapshot.forEach(function (doc) { + doc.ref.delete(); + }); + }) + .then(() => { + res.json({ success: true }); + }) + .catch((err) => { + res.json({ success: false, err }); }); - }) - .then(() => { - res.json({ success: true }); - }) - .catch((err) => { - res.json({ success: false, err }); - }); + } else { + res.status(403).send("Forbidden"); + } }); - router.post("/new", (req, res) => { - const { title, content, tags, publishDate, shortText, slug } = req.body; - const store = firebase.firestore(); - const id = store.collection("posts").doc().id; - // convert content to base64 - const base64 = Buffer.from(content).toString("base64"); - const post = { - id, - title, - content: base64, - tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], - publishDate, - shortText, - slug, - }; - let query = store.collection("posts"); - query - .doc(id) - .set(post) - .then(() => { - res.json({ success: true }); - }) - .catch((err) => { - res.json({ success: false, err }); - }); + const referer = req.headers.referer ? req.headers.referer : null; + if (checkReferer(referer)) { + const { title, content, tags, publishDate, shortText, slug } = req.body; + const store = firebase.firestore(); + const id = store.collection("posts").doc().id; + // convert content to base64 + const base64 = Buffer.from(content).toString("base64"); + const post = { + id, + title, + content: base64, + tags: String(tags).split(",").length > 0 ? String(tags).split(",") : [], + publishDate, + shortText, + slug, + }; + let query = store.collection("posts"); + query + .doc(id) + .set(post) + .then(() => { + res.json({ success: true }); + }) + .catch((err) => { + res.json({ success: false, err }); + }); + } else { + res.status(403).send("Forbidden"); + } }); module.exports = router; diff --git a/server.js b/server.js index eb79ff0..8c1024e 100644 --- a/server.js +++ b/server.js @@ -2,16 +2,12 @@ const express = require("express"); const bodyParser = require("body-parser"); const cors = require("cors"); - // Import the routes const routes = require("./routes"); // Create the server const app = express(); -var allowedOrigins = [ - "http://localhost:3000", - "https://thatcomputerscientist.com", -]; + app.use(function (req, res, next) { if ( req.get("X-Forwarded-Proto") === "http" && @@ -32,18 +28,9 @@ app.use( extended: true, }) ); -app.use( - cors({ - origin: function (origin, callback) { - // Block everything except the allowed origins - if (allowedOrigins.indexOf(origin) !== -1) { - callback(null, true); - } else { - callback(new Error("Not allowed by CORS")); - } - }, - }) -); + +app.use(cors()); + app.use("/static", express.static(__dirname + "/static")); app.use(express.static(__dirname + "/public")); app.engine("html", require("ejs").renderFile); -- cgit v1.2.3