Merge pull request #1203 from DEVTomatoCake/fix/no-auth-routes-head-requests

Fix HEAD requests for no authorization routes
2024-11-08 11:52:55 +01:00 · 2024-08-30 08:52:40 -04:00 · 2024-08-30 08:52:40 -04:00 · efd3816a59
commit efd3816a59
parent 8c3eec87bb 860e636c6e
1 changed files with 10 additions and 4 deletions
--- a/src/api/middlewares/Authentication.ts
+++ b/src/api/middlewares/Authentication.ts
@ -32,7 +32,7 @@ export const NO_AUTHORIZATION_ROUTES = [
 	"POST /auth/reset",
 	"GET /invites/",
 	// Routes with a seperate auth system
-	/POST \/webhooks\/\d+\/\w+\/?/, // no token requires auth
+	/^(POST|HEAD) \/webhooks\/\d+\/\w+\/?/, // no token requires auth
 	// Public information endpoints
 	"GET /ping",
 	"GET /gateway",
@ -51,11 +51,11 @@ export const NO_AUTHORIZATION_ROUTES = [
 	// Oauth callback
 	"/oauth2/callback",
 	// Asset delivery
-	/GET \/guilds\/\d+\/widget\.(json|png)/,
+	/^(GET|HEAD) \/guilds\/\d+\/widget\.(json|png)/,
 	// Connections
-	/POST \/connections\/\w+\/callback/,
+	/^(POST|HEAD) \/connections\/\w+\/callback/,
 	// Image proxy
-	/GET \/imageproxy\/[A-Za-z0-9+/]\/\d+x\d+\/.+/,
+	/^(GET|HEAD) \/imageproxy\/[A-Za-z0-9+/]\/\d+x\d+\/.+/,
 ];

 export const API_PREFIX = /^\/api(\/v\d+)?/;
@ -82,6 +82,12 @@ export async function Authentication(
 	const url = req.url.replace(API_PREFIX, "");
 	if (
 		NO_AUTHORIZATION_ROUTES.some((x) => {
+			if (req.method == "HEAD") {
+				if (typeof x === "string")
+					return url.startsWith(x.split(" ").slice(1).join(" "));
+				return x.test(req.method + " " + url);
+			}
+
 			if (typeof x === "string")
 				return (req.method + " " + url).startsWith(x);
 			return x.test(req.method + " " + url);