From 29f967a3ec463cc431a74fde325483199cad12c6 Mon Sep 17 00:00:00 2001 From: dumbmoron Date: Tue, 17 Sep 2024 15:37:01 +0000 Subject: [PATCH] api: fix accept & content-type validation when not using authentication --- api/src/core/api.js | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/api/src/core/api.js b/api/src/core/api.js index 51ec1697..fdd13ce1 100644 --- a/api/src/core/api.js +++ b/api/src/core/api.js @@ -105,6 +105,18 @@ export const runAPI = (express, app, __dirname) => { app.post('/', apiLimiter); app.use('/tunnel', apiLimiterStream); + app.post('/', (req, res, next) => { + if (!acceptRegex.test(req.header('Accept'))) { + return fail(res, "error.api.header.accept"); + } + + if (!acceptRegex.test(req.header('Content-Type'))) { + return fail(res, "error.api.header.content_type"); + } + + next(); + }); + app.post('/', (req, res, next) => { if (!env.turnstileSecret || !env.jwtSecret) { return next(); @@ -128,14 +140,6 @@ export const runAPI = (express, app, __dirname) => { return fail(res, "error.api.auth.jwt.invalid"); } - if (!acceptRegex.test(req.header('Accept'))) { - return fail(res, "error.api.header.accept"); - } - - if (!acceptRegex.test(req.header('Content-Type'))) { - return fail(res, "error.api.header.content_type"); - } - req.authorized = true; } catch { return fail(res, "error.api.generic");