From cf9116b5bb59f7c8332df2e05b51c6e3f45afbd6 Mon Sep 17 00:00:00 2001 From: Hariom Balhara Date: Tue, 16 Aug 2022 22:45:13 +0530 Subject: [PATCH] Avoid DDOS (#3871) --- apps/web/middleware.ts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index fb9815d3e2..2d4565c473 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -9,6 +9,13 @@ const V2_WHITELIST = ["/settings/admin"]; const middleware: NextMiddleware = async (req) => { const url = req.nextUrl; + if (url.pathname === "/api/auth/session") { + const callbackUrl = url.searchParams.get("callbackUrl"); + if (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://")) { + // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback + return new NextResponse(); + } + } /** Display available V2 pages to users who opted-in to early access */ if (req.cookies.has("calcom-v2-early-access") && V2_WHITELIST.some((p) => url.pathname.startsWith(p))) { // rewrite to the current subdomain under the pages/sites folder