diag: log checkOrigin rejections
This commit is contained in:
parent
de1282fcd6
commit
da99cfdb60
1 changed files with 9 additions and 1 deletions
10
src/auth.js
10
src/auth.js
|
|
@ -80,12 +80,20 @@ export function checkOrigin(req, res, next) {
|
||||||
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next();
|
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next();
|
||||||
const origin = req.get('origin') || req.get('referer');
|
const origin = req.get('origin') || req.get('referer');
|
||||||
if (origin) {
|
if (origin) {
|
||||||
|
const allowed = allowedHosts(req);
|
||||||
try {
|
try {
|
||||||
const host = new URL(origin).host;
|
const host = new URL(origin).host;
|
||||||
if (allowedHosts(req).has(host)) return next();
|
if (allowed.has(host)) return next();
|
||||||
} catch {
|
} catch {
|
||||||
/* fall through */
|
/* fall through */
|
||||||
}
|
}
|
||||||
|
log.warn('checkOrigin rejected', {
|
||||||
|
origin,
|
||||||
|
host: req.get('host'),
|
||||||
|
xForwardedHost: req.get('x-forwarded-host'),
|
||||||
|
allowed: [...allowed],
|
||||||
|
path: req.path,
|
||||||
|
});
|
||||||
return res.status(403).send('Bad origin');
|
return res.status(403).send('Bad origin');
|
||||||
}
|
}
|
||||||
// No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers.
|
// No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue