Merge branch 'production' into main

2022-08-22 10:32:25 -07:00 · 2022-08-22 10:32:25 -07:00 · 662b437a18
parent e7f1413ed8 025019f789
commit 662b437a18
2 changed files with 24 additions and 1 deletions
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@ -1,6 +1,7 @@
 import { collectEvents } from "next-collect/server";
-import { NextMiddleware, NextResponse } from "next/server";
+import { NextMiddleware, NextResponse, userAgent } from "next/server";

+import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
 import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";

 const V2_WHITELIST = ["/settings/admin"];
@ -8,6 +9,19 @@ const V2_WHITELIST = ["/settings/admin"];
 const middleware: NextMiddleware = async (req) => {
  const url = req.nextUrl;

+  if (url.pathname.startsWith("/api/auth")) {
+    const callbackUrl = url.searchParams.get("callbackUrl");
+    const { isBot } = userAgent(req);
+
+    if (
+      isBot ||
+      (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u)))
+    ) {
+      // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
+      req.nextUrl.pathname = "/api/nope";
+      return NextResponse.redirect(req.nextUrl);
+    }
+  }
  /** Display available V2 pages to users who opted-in to early access */
  if (req.cookies.has("calcom-v2-early-access") && V2_WHITELIST.some((p) => url.pathname.startsWith(p))) {
    // rewrite to the current subdomain under the pages/sites folder
--- a/apps/web/pages/api/nope.ts
+++ b/apps/web/pages/api/nope.ts
@ -0,0 +1,9 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+
+type Response = {
+  message: string;
+};
+
+export default async function handler(req: NextApiRequest, res: NextApiResponse<Response>): Promise<void> {
+  return res.status(400).json({ message: "Please don't" });
+}