Merge pull request #27 from Raphencoder/patch-1

Update to authorize local ipv4 addresses
2024-12-06 06:05:23 +00:00
parent bbf8683004 5e5448a9e9
commit 63a39970fa
3 changed files with 69 additions and 20 deletions
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -50,6 +50,13 @@ async function verifyAuthJwt(key: CryptoKey, jwt: string) {
  throw new Error('Invalid JWT');
 }

+function resolveCookieDomain(request: Request) {
+  if (!isBaseUrlAnIp() || isRunningLocally(request)) {
+    return baseUrl.replace('https://', '').replace('http://', '').split(':')[0];
+  }
+  return '';
+}
+
 export async function getDataFromRequest(request: Request) {
  const cookies = getCookies(request.headers);
  const authorizationHeader = request.headers.get('authorization');
@@ -158,14 +165,9 @@ export async function logoutUser(request: Request) {
    secure: isRunningLocally(request) ? false : true,
    httpOnly: true,
    sameSite: 'Lax',
+    domain: resolveCookieDomain(request),
  };

-  if (!isBaseUrlAnIp()) {
-    cookie.domain = isRunningLocally(request)
-      ? 'localhost'
-      : baseUrl.replace('https://', '').replace('http://', '').split(':')[0];
-  }
-
  const response = new Response('Logged Out', {
    status: 303,
    headers: { 'Location': '/', 'Content-Type': 'text/html; charset=utf-8' },
@@ -212,14 +214,9 @@ export async function createSessionCookie(
    secure: isRunningLocally(request) ? false : true,
    httpOnly: true,
    sameSite: 'Lax',
+    domain: resolveCookieDomain(request),
  };

-  if (!isBaseUrlAnIp()) {
-    cookie.domain = isRunningLocally(request)
-      ? 'localhost'
-      : baseUrl.replace('https://', '').replace('http://', '').split(':')[0];
-  }
-
  setCookie(response.headers, cookie);

  return response;
@@ -241,14 +238,9 @@ export async function updateSessionCookie(
    secure: isRunningLocally(request) ? false : true,
    httpOnly: true,
    sameSite: 'Lax',
+    domain: resolveCookieDomain(request),
  };

-  if (!isBaseUrlAnIp()) {
-    cookie.domain = isRunningLocally(request)
-      ? 'localhost'
-      : baseUrl.replace('https://', '').replace('http://', '').split(':')[0];
-  }
-
  setCookie(response.headers, cookie);

  return response;
--- a/lib/utils/misc.ts
+++ b/lib/utils/misc.ts
@@ -13,8 +13,43 @@ export const defaultTitle = 'bewCloud is a modern and simpler alternative to Nex
 export const defaultDescription = `Have your files under your own control.`;
 export const helpEmail = 'help@bewcloud.com';

-export function isRunningLocally(request: Request) {
-  return request.url.includes('localhost');
+export function isRunningLocally(request: Request): boolean {
+  try {
+    const url = new URL(request.url);
+    const hostname = url.hostname;
+
+    // Local hostnames check
+    if (['localhost', '127.0.0.1', '0.0.0.0'].includes(hostname)) {
+      return true;
+    }
+
+    // Private IP ranges check
+    const ipParts = hostname.split('.').map(Number);
+    
+    // Check if valid IP address
+    if (ipParts.length !== 4 || ipParts.some(part => isNaN(part) || part < 0 || part > 255)) {
+      return false;
+    }
+
+    // 10.0.0.0 - 10.255.255.255
+    if (ipParts[0] === 10) {
+      return true;
+    }
+
+    // 172.16.0.0 - 172.31.255.255
+    if (ipParts[0] === 172 && ipParts[1] >= 16 && ipParts[1] <= 31) {
+      return true;
+    }
+
+    // 192.168.0.0 - 192.168.255.255
+    if (ipParts[0] === 192 && ipParts[1] === 168) {
+      return true;
+    }
+
+    return false;
+  } catch {
+    return false;
+  }
 }

 export function escapeHtml(unsafe: string) {
--- a/lib/utils/misc_test.ts
+++ b/lib/utils/misc_test.ts
@@ -8,6 +8,7 @@ import {
  splitArrayInChunks,
  validateEmail,
  validateUrl,
+  isRunningLocally,
 } from './misc.ts';

 Deno.test('that escapeHtml works', () => {
@@ -246,3 +247,24 @@ Deno.test('that convertObjectToFormData works', () => {
    assertEquals(convertFormDataToObject(output), convertFormDataToObject(test.expected));
  }
 });
+
+
+Deno.test('that isRunningLocally works', () => {
+  const tests: { url: string; expected: boolean }[] = [
+    { url: 'http://localhost:8000', expected: true },
+    { url: 'http://127.0.0.1:8000', expected: true },
+    { url: 'http://0.0.0.0:8000', expected: true },
+    { url: 'http://10.0.0.1:8000', expected: true },
+    { url: 'http://172.16.0.1:8000', expected: true },
+    { url: 'http://192.168.0.1:8000', expected: true },
+    { url: 'http://example.com', expected: false },
+    { url: 'http://68.18.161.245:8000', expected: false },
+  ];
+
+  for (const test of tests) {
+    const request = { url: test.url } as Request;
+    const result = isRunningLocally(request);
+    assertEquals(result, test.expected);
+  }
+});
+