coolaj86
/
walnut.js
1
1
Fork 1
Code Issues Pull Requests Releases Activity

more strict API prefix checking (and better error)

This commit is contained in:
AJ ONeal 2017-05-11 01:11:31 +00:00
parent 69ce868660
commit 1e5fd8484f
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/bootstrap.js vendored
View File

@ -47,13 +47,18 @@ module.exports.create = function (app, xconfx, models) {
var resolve; var resolve;
function errorIfNotApi(req, res, next) { function errorIfNotApi(req, res, next) {
// if it's not an ip address var hostname = req.hostname || req.headers.host;
if (/[a-z]+/.test(req.hostname || req.headers.host)) {
if (!/^api\./.test(req.hostname || req.headers.host)) { if (!/^api\.[a-z0-9\-]+/.test(hostname)) {
console.warn('not API req.headers.host:', req.hostname || req.headers.host); res.send({ error:
res.send({ error: { message: "no api. subdomain prefix" } }); { message: "API access is restricted to proper 'api'-prefixed lowercase subdomains."
return; + " The HTTP 'Host' header must exist and must begin with 'api.' as in 'api.example.com'."
+ " For development you may test with api.localhost.daplie.me (or any domain by modifying your /etc/hosts)"
, code: 'E_NOT_API'
, _hostname: hostname
} }
});
return;
} }
next(); next();