krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-17 14:47:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

enforce x-client header (#15476)

Browse Source
This commit is contained in:
Phillip Thelen
2025-07-22 21:00:51 +02:00
committed by GitHub
parent d1a18c121d
commit 17d22dda3f
3 changed files with 51 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
website/server/middlewares/auth.js
View File

@@ -4,6 +4,7 @@ import url from 'url';
import {
InvalidCredentialsError,
NotAuthorized,
BadRequest,
} from '../libs/errors';
import {
model as User,
@@ -12,6 +13,8 @@ import gcpStackdriverTracer from '../libs/gcpTraceAgent';
import common from '../../common';
import { getLanguageFromUser } from '../libs/language';
const ENFORCE_CLIENT_HEADER = nconf.get('ENFORCE_CLIENT_HEADER') === 'true';
const OFFICIAL_PLATFORMS = ['habitica-web', 'habitica-ios', 'habitica-android'];
const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS_COMMUNITY_MANAGER_EMAIL');
const USER_FIELDS_ALWAYS_LOADED = ['_id', '_v', 'notifications', 'preferences', 'auth', 'flags', 'permissions'];
@@ -63,6 +66,10 @@ export function authWithHeaders (options = {}) {
const client = req.header('x-client');
const optional = options.optional || false;
if (ENFORCE_CLIENT_HEADER && !client) {
return next(new BadRequest(res.t('missingClientHeader')));
}
if (!userId || !apiToken) {
if (optional) return next();
return next(new NotAuthorized(res.t('missingAuthHeaders')));