diag: log checkOrigin rejections
This commit is contained in:
parent
de1282fcd6
commit
da99cfdb60
1 changed files with 9 additions and 1 deletions
10
src/auth.js
10
src/auth.js
|
|
@ -80,12 +80,20 @@ export function checkOrigin(req, res, next) {
|
|||
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next();
|
||||
const origin = req.get('origin') || req.get('referer');
|
||||
if (origin) {
|
||||
const allowed = allowedHosts(req);
|
||||
try {
|
||||
const host = new URL(origin).host;
|
||||
if (allowedHosts(req).has(host)) return next();
|
||||
if (allowed.has(host)) return next();
|
||||
} catch {
|
||||
/* fall through */
|
||||
}
|
||||
log.warn('checkOrigin rejected', {
|
||||
origin,
|
||||
host: req.get('host'),
|
||||
xForwardedHost: req.get('x-forwarded-host'),
|
||||
allowed: [...allowed],
|
||||
path: req.path,
|
||||
});
|
||||
return res.status(403).send('Bad origin');
|
||||
}
|
||||
// No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue