@jayfong/x-server 1.34.3 → 1.34.4

package/lib/_cjs/core/server.js

@@ -162,7 +162,17 @@ class Server {
       method: 'POST',
       url: '/@',
       handler: async (req, res) => {
-        const requestPath = req.headers['x-path'];
+        let requestPath = req.headers['x-path'] || '';
+
+        if (!requestPath.startsWith('/')) {
+          const [_requestPath, _time] = (0, _vtils.base64UrlDecode)((0, _vtils.rot13)(requestPath)).split('#');
+
+          if (!_time || Date.now() / 1000 - Number(_time) > 5 * 60) {
+            throw new _http_error.HttpError.Forbidden();
+          }
+
+          requestPath = _requestPath;
+        }
 
         if (!requestPath || !routeMap[requestPath]) {
           throw new _http_error.HttpError.NotFound();

package/lib/core/server.js

@@ -1,5 +1,5 @@
 import Fastify from 'fastify';
-import { castArray, keyBy, noop } from 'vtils';
+import { base64UrlDecode, castArray, keyBy, noop, rot13 } from 'vtils';
 import { HandlerMethodToHttpMethod } from "./http_method";
 import { HttpError } from "./http_error";
 import { x } from "../x";
@@ -147,7 +147,17 @@ export class Server {
       method: 'POST',
       url: '/@',
       handler: async (req, res) => {
-        const requestPath = req.headers['x-path'];
+        let requestPath = req.headers['x-path'] || '';
+
+        if (!requestPath.startsWith('/')) {
+          const [_requestPath, _time] = base64UrlDecode(rot13(requestPath)).split('#');
+
+          if (!_time || Date.now() / 1000 - Number(_time) > 5 * 60) {
+            throw new HttpError.Forbidden();
+          }
+
+          requestPath = _requestPath;
+        }
 
         if (!requestPath || !routeMap[requestPath]) {
           throw new HttpError.NotFound();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jayfong/x-server",
-  "version": "1.34.3",
+  "version": "1.34.4",
   "license": "ISC",
   "sideEffects": false,
   "main": "lib/_cjs/index.js",