From 03c050ae8bdc29ba940a2b59c2b5af2068a4af5d Mon Sep 17 00:00:00 2001 From: TomatoCake <60300461+DEVTomatoCake@users.noreply.github.com> Date: Fri, 30 Aug 2024 14:46:27 +0200 Subject: [PATCH 1/2] Fix HEAD requests for no authorization routes --- src/api/middlewares/Authentication.ts | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/api/middlewares/Authentication.ts b/src/api/middlewares/Authentication.ts index ec77cbbb..b7159b9d 100644 --- a/src/api/middlewares/Authentication.ts +++ b/src/api/middlewares/Authentication.ts @@ -32,7 +32,7 @@ export const NO_AUTHORIZATION_ROUTES = [ "POST /auth/reset", "GET /invites/", // Routes with a seperate auth system - /POST \/webhooks\/\d+\/\w+\/?/, // no token requires auth + /(POST|HEAD) \/webhooks\/\d+\/\w+\/?/, // no token requires auth // Public information endpoints "GET /ping", "GET /gateway", @@ -51,11 +51,11 @@ export const NO_AUTHORIZATION_ROUTES = [ // Oauth callback "/oauth2/callback", // Asset delivery - /GET \/guilds\/\d+\/widget\.(json|png)/, + /(GET|HEAD) \/guilds\/\d+\/widget\.(json|png)/, // Connections - /POST \/connections\/\w+\/callback/, + /(POST|HEAD) \/connections\/\w+\/callback/, // Image proxy - /GET \/imageproxy\/[A-Za-z0-9+/]\/\d+x\d+\/.+/, + /(GET|HEAD) \/imageproxy\/[A-Za-z0-9+/]\/\d+x\d+\/.+/, ]; export const API_PREFIX = /^\/api(\/v\d+)?/; @@ -82,6 +82,12 @@ export async function Authentication( const url = req.url.replace(API_PREFIX, ""); if ( NO_AUTHORIZATION_ROUTES.some((x) => { + if (req.method == "HEAD") { + if (typeof x === "string") + return url.startsWith(x.split(" ").slice(1).join(" ")); + return x.test(req.method + " " + url); + } + if (typeof x === "string") return (req.method + " " + url).startsWith(x); return x.test(req.method + " " + url); From 860e636c6ede049297f465ee936abc122bb0f6f0 Mon Sep 17 00:00:00 2001 From: TomatoCake <60300461+DEVTomatoCake@users.noreply.github.com> Date: Fri, 30 Aug 2024 14:49:27 +0200 Subject: [PATCH 2/2] Enforce RegEx no auth routes start --- src/api/middlewares/Authentication.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/api/middlewares/Authentication.ts b/src/api/middlewares/Authentication.ts index b7159b9d..b5204ffc 100644 --- a/src/api/middlewares/Authentication.ts +++ b/src/api/middlewares/Authentication.ts @@ -32,7 +32,7 @@ export const NO_AUTHORIZATION_ROUTES = [ "POST /auth/reset", "GET /invites/", // Routes with a seperate auth system - /(POST|HEAD) \/webhooks\/\d+\/\w+\/?/, // no token requires auth + /^(POST|HEAD) \/webhooks\/\d+\/\w+\/?/, // no token requires auth // Public information endpoints "GET /ping", "GET /gateway", @@ -51,11 +51,11 @@ export const NO_AUTHORIZATION_ROUTES = [ // Oauth callback "/oauth2/callback", // Asset delivery - /(GET|HEAD) \/guilds\/\d+\/widget\.(json|png)/, + /^(GET|HEAD) \/guilds\/\d+\/widget\.(json|png)/, // Connections - /(POST|HEAD) \/connections\/\w+\/callback/, + /^(POST|HEAD) \/connections\/\w+\/callback/, // Image proxy - /(GET|HEAD) \/imageproxy\/[A-Za-z0-9+/]\/\d+x\d+\/.+/, + /^(GET|HEAD) \/imageproxy\/[A-Za-z0-9+/]\/\d+x\d+\/.+/, ]; export const API_PREFIX = /^\/api(\/v\d+)?/;