Skip to content

Commit

Permalink
fix: add more domain validation to login page
Browse files Browse the repository at this point in the history
  • Loading branch information
@thilobillerbeck
thilobillerbeck committed Nov 27, 2024
1 parent 75a422d commit db8fae4
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
4 changes: 4 additions & 0 deletions lib/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ export function domainToUrl(domain: string) {
return `https://${domain}`
}

export function validateDomain(domain: string) {
return domain.match(/(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]/g)
}

export function genCallBackUrl(instanceDomain: string) {
if (process.env.NODE_ENV == 'development') {
const { ADDRESS = 'localhost', PORT = '3000' } = process.env;
Expand Down
11 changes: 9 additions & 2 deletions routes/user.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import { FastifyInstance } from "fastify";
import { Mastodon } from 'megalodon'
import { authenticateJWT, domainToUrl, genCallBackUrl } from './../lib/utils'
import { authenticateJWT, domainToUrl, genCallBackUrl, validateDomain } from './../lib/utils'
import { db, getInstanceByDomain, getUserByMastodonUid } from './../lib/db'
import { AtpSessionData } from "@atproto/api";

Expand Down Expand Up @@ -70,7 +70,14 @@ export const routesUser = async (app: FastifyInstance, options: Object) => {
}
}>('/auth', async (req, res) => {
let instanceDomain: string = req.query.instance || "mastodon.social"
instanceDomain = instanceDomain.toLowerCase().replace(/https?:\/\//, "")
instanceDomain = instanceDomain.toLowerCase().replace(/https?:\/\//, "").replace("/", "")

if(!validateDomain(instanceDomain)) {
return res.status(400).view("login", {
err: 'Invalid instance domain'
})
}

const url = domainToUrl(instanceDomain)
let client = new Mastodon(url)

Expand Down

0 comments on commit db8fae4

Please sign in to comment.