Restrict access based on Referer

author: cel <cel@lOUVT+Phkvai9a/cCS/RKo+S9hnPAQdVixms/7ldpPA=.ed25519> 2020-03-28 15:58:43 -0400
committer: cel <cel@lOUVT+Phkvai9a/cCS/RKo+S9hnPAQdVixms/7ldpPA=.ed25519> 2020-04-10 16:11:50 -0400
commit: 9ad733614f9de494ff952b9c9f72b834bfb8252b (patch)
tree: 470fdc2383d9606d8e1075bbb4d73d8a3b0affce /lib/app.js
parent: 5a719f74ab1963f17275e28ae0aa9779b4b1ec03 (diff)
download: patchfoo-9ad733614f9de494ff952b9c9f72b834bfb8252b.tar.gz
patchfoo-9ad733614f9de494ff952b9c9f72b834bfb8252b.zip
1 files changed, 38 insertions, 0 deletions
diff --git a/lib/app.js b/lib/app.js
index d4f0c98..d779b12 100644
--- a/lib/app.js
+++ b/lib/app.js
@@ -25,6 +25,7 @@ var fs = require('fs')
 var mkdirp = require('mkdirp')
 var Base64URL = require('base64-url')
 var ssbKeys = require('ssb-keys')
+var Url = require('url')
 
 var zeros = new Buffer(24); zeros.fill(0)
 
@@ -81,6 +82,27 @@ function App(sbot, config) {
     }
   }).filter(Boolean)
 
+  this.trustedReferers = u.toArray(conf.trustedReferers || ['http://localhost:/', 'http://127.0.0.1:/', 'http://[::1]:/', 'http://' + this.hostname + '/'])
+  this.trustedReferersParsed = this.trustedReferers.indexOf('*') > -1 ? [{
+    subdomains: true,
+    host: '',
+    port: '*',
+  }] : this.trustedReferers.map(function (pattern) {
+    var m = /^([a-z0-9\-+]+:)?\/\/+(\.)?(?:\[([0-9a-f:]*)\]|([^:/]*))(:([0-9]*?|\*))?(\/.*?)?$/.exec(pattern)
+    if (!m) return void console.trace('Unable to parse URL pattern "'+pattern+'"')
+    var port = !m[5] ? 80 :
+               !m[6] ? Number(self.port) :
+        '*' === m[6] ? '*' : Number(m[6])
+    if (port !== '*' && isNaN(port)) return void console.trace('Unable to parse port in URL pattern "'+pattern+'". Default port: "'+self.port+'"')
+    return {
+      protocol: m[1],
+      subdomains: !!m[2],
+      hostname: m[3] || m[4],
+      port: port,
+      path: m[7]
+    }
+  }).filter(Boolean)
+
   var base = conf.base || '/'
   this.opts = {
     base: base,
@@ -152,6 +174,22 @@ App.prototype.isAllowedHostHeader = function (hostname) {
   return false
 }
 
+App.prototype.getRefererPath = function (referer) {
+  if (!referer) return
+  var url = Url.parse(referer)
+  var port = Number(url.port || 80)
+  for (var i = 0; i < this.trustedReferersParsed.length; i++) {
+    var allow = this.trustedReferersParsed[i]
+    if ((!allow.protocol || allow.protocol === url.protocol)
+      && (allow.port === '*' || allow.port === port)
+      && (allow.hostname === '' || allow.hostname === url.hostname ||
+        (allow.subdomains && host.endsWith('.'+allow.hostname)))
+      && (!allow.path || url.pathname.startsWith(allow.path))
+    ) return allow.path ? url.pathname.substr(allow.path.length) : url.pathname
+  }
+  return null
+}
+
 App.prototype.go = function () {
   var self = this
   var server = http.createServer(function (req, res) {
author	cel <cel@lOUVT+Phkvai9a/cCS/RKo+S9hnPAQdVixms/7ldpPA=.ed25519>	2020-03-28 15:58:43 -0400
committer	cel <cel@lOUVT+Phkvai9a/cCS/RKo+S9hnPAQdVixms/7ldpPA=.ed25519>	2020-04-10 16:11:50 -0400
commit	9ad733614f9de494ff952b9c9f72b834bfb8252b (patch)
tree	470fdc2383d9606d8e1075bbb4d73d8a3b0affce /lib/app.js
parent	5a719f74ab1963f17275e28ae0aa9779b4b1ec03 (diff)
download	patchfoo-9ad733614f9de494ff952b9c9f72b834bfb8252b.tar.gz patchfoo-9ad733614f9de494ff952b9c9f72b834bfb8252b.zip