1berry/Hemmelig.app
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(prehandler): block bots / crawlers / spiders from fetching secrets from the API by default (#388)

Browse Source 
* feat(prehandler): block bots from fetching secrets from the API by default

* feat(prehandler): block bots from fetching secrets from the API by default
This commit is contained in:
bjarneo 2025-02-13 15:42:49 +01:00 committed by GitHub
parent 1a95a8b689
commit cea0ac8533
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
server.js
View File

@ -23,12 +23,6 @@ import attachment from './server/decorators/attachment-upload.js';
import jwtDecorator from './server/decorators/jwt.js';
import userFeatures from './server/decorators/user-features.js';
import readCookieAllRoutesHandler from './server/prehandlers/cookie-all-routes.js';
import disableUserAccountCreationHandler from './server/prehandlers/disable-user-account-creation.js';
import disableUserHandler from './server/prehandlers/disable-users.js';
import readOnlyHandler from './server/prehandlers/read-only.js';
import restrictOrganizationEmailHandler from './server/prehandlers/restrict-organization-email.js';
import accountRoute from './server/controllers/account.js';
import adminSettingsRoute from './server/controllers/admin/settings.js';
import usersRoute from './server/controllers/admin/users.js';
@ -39,6 +33,12 @@ import healthzRoute from './server/controllers/healthz.js';
import secretRoute from './server/controllers/secret.js';
import statsRoute from './server/controllers/stats.js';
import customHeaders from './server/plugins/custom-headers.js';
import blockBot from './server/prehandlers/block-bot.js';
import readCookieAllRoutesHandler from './server/prehandlers/cookie-all-routes.js';
import disableUserAccountCreationHandler from './server/prehandlers/disable-user-account-creation.js';
import disableUserHandler from './server/prehandlers/disable-users.js';
import readOnlyHandler from './server/prehandlers/read-only.js';
import restrictOrganizationEmailHandler from './server/prehandlers/restrict-organization-email.js';
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
@ -137,6 +137,7 @@ fastify.addHook('preHandler', disableUserHandler);
fastify.addHook('preHandler', disableUserAccountCreationHandler);
fastify.addHook('preHandler', readOnlyHandler);
fastify.addHook('preHandler', restrictOrganizationEmailHandler);
fastify.addHook('preHandler', blockBot);
function serveIndex(_, reply) {
return reply.html();

10
server/prehandlers/block-bot.js Normal file
View File

@ -0,0 +1,10 @@
import { isbot } from 'isbot';
// Add bot detection prehandler
export default async function blockBot(request, reply) {
const userAgent = request.headers['user-agent'];
if (request.url.includes('/api/secret/') && isbot(userAgent)) {
return reply.code(403).send({ error: 'Bot access is not allowed' });
}
}