Avoid DDOS (#3871)

pull/3888/head
Hariom Balhara 2022-08-16 22:45:13 +05:30 committed by GitHub
parent 5b6818a3cc
commit cf9116b5bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 0 deletions

View File

@ -9,6 +9,13 @@ const V2_WHITELIST = ["/settings/admin"];
const middleware: NextMiddleware = async (req) => { const middleware: NextMiddleware = async (req) => {
const url = req.nextUrl; const url = req.nextUrl;
if (url.pathname === "/api/auth/session") {
const callbackUrl = url.searchParams.get("callbackUrl");
if (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://")) {
// DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
return new NextResponse();
}
}
/** Display available V2 pages to users who opted-in to early access */ /** Display available V2 pages to users who opted-in to early access */
if (req.cookies.has("calcom-v2-early-access") && V2_WHITELIST.some((p) => url.pathname.startsWith(p))) { if (req.cookies.has("calcom-v2-early-access") && V2_WHITELIST.some((p) => url.pathname.startsWith(p))) {
// rewrite to the current subdomain under the pages/sites folder // rewrite to the current subdomain under the pages/sites folder