npm - @waline/vercel - Versions diffs - 1.39.0 → 1.39.2 - Mend

@waline/vercel 1.39.0 → 1.39.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@waline/vercel",
-  "version": "1.39.0",
+  "version": "1.39.2",
   "description": "vercel server for waline comment system",
   "keywords": [
     "blog",

package/src/controller/rest.js CHANGED Viewed

@@ -21,7 +21,7 @@ module.exports = class extends think.Controller {
     const filename = this.__filename || __filename;
     const last = filename.lastIndexOf(path.sep);
-    return filename.slice(last + 1, filename.length - last - 4);
+    return filename.slice(last + 1, - 3);
   }
   getId() {
@@ -32,7 +32,6 @@ module.exports = class extends think.Controller {
     }
     const last = decodeURIComponent(this.ctx.path.split('/').pop());
     if (last !== this.resource && /^([a-z0-9]+,?)*$/i.test(last)) {
       return last;
     }

package/src/logic/base.js CHANGED Viewed

@@ -13,65 +13,9 @@ module.exports = class BaseLogic extends think.Logic {
   // oxlint-disable-next-line max-statements
   async __before() {
-    const referrer = this.ctx.referrer(true);
-    let { origin } = this.ctx;
-    if (origin) {
-      try {
-        const parsedOrigin = new URL(origin);
-        origin = parsedOrigin.hostname;
-      } catch (err) {
-        console.error('Invalid origin format:', origin, err);
-      }
-    }
-    let { secureDomains } = this.config();
-    if (secureDomains) {
-      secureDomains = think.isArray(secureDomains) ? secureDomains : [secureDomains];
-      secureDomains.push(
-        'localhost',
-        '127.0.0.1',
-        // 'github.com',
-        // 'api.twitter.com',
-        // 'www.facebook.com',
-        // 'api.weibo.com',
-        // 'graph.qq.com',
-      );
-      secureDomains = [
-        ...secureDomains,
-        ...this.ctx.state.oauthServices.map(({ origin }) => origin),
-      ];
-      // 转换可能的正则表达式字符串为正则表达式对象
-      secureDomains = secureDomains
-        .map((domain) => {
-          // 如果是正则表达式字符串，创建一个 RegExp 对象
-          if (typeof domain === 'string' && domain.startsWith('/') && domain.endsWith('/')) {
-            try {
-              return new RegExp(domain.slice(1, -1)); // 去掉斜杠并创建 RegExp 对象
-            } catch (err) {
-              console.error('Invalid regex pattern in secureDomains:', domain, err);
-              return null;
-            }
-          }
-          return domain;
-        })
-        .filter(Boolean); // 过滤掉无效的正则表达式
-      // 有 referrer 检查 referrer，没有则检查 origin
-      const checking = referrer || origin;
-      const isSafe = secureDomains.some((domain) =>
-        think.isFunction(domain.test) ? domain.test(checking) : domain === checking,
-      );
-      if (!isSafe) {
-        return this.ctx.throw(403);
-      }
+    const referrerCheckResult = this.referrerCheck();
+    if (!referrerCheckResult) {
+      return this.ctx.throw(403);
     }
     this.ctx.state.userInfo = {};
@@ -134,11 +78,65 @@ module.exports = class BaseLogic extends think.Logic {
     this.ctx.state.token = token;
   }
+  referrerCheck() {
+    let { secureDomains } = this.config();
+    if (!secureDomains) {
+      return true;
+    }
+    const whitelistPath = ['/api/comment/rss'];
+    if (this.ctx.path && whitelistPath.includes(this.ctx.path)) {
+      return true;
+    }
+    const referrer = this.ctx.referrer(true);
+    let { origin } = this.ctx;
+    if (origin) {
+      try {
+        const parsedOrigin = new URL(origin);
+        origin = parsedOrigin.hostname;
+      } catch (err) {
+        console.error('Invalid origin format:', origin, err);
+      }
+    }
+    secureDomains = think.isArray(secureDomains) ? secureDomains : [secureDomains];
+    secureDomains.push('localhost', '127.0.0.1');
+    secureDomains = [...secureDomains, ...this.ctx.state.oauthServices.map(({ origin }) => origin)];
+    // 转换可能的正则表达式字符串为正则表达式对象
+    secureDomains = secureDomains
+      .map((domain) => {
+        // 如果是正则表达式字符串，创建一个 RegExp 对象
+        if (typeof domain === 'string' && domain.startsWith('/') && domain.endsWith('/')) {
+          try {
+            return new RegExp(domain.slice(1, -1)); // 去掉斜杠并创建 RegExp 对象
+          } catch (err) {
+            console.error('Invalid regex pattern in secureDomains:', domain, err);
+            return null;
+          }
+        }
+        return domain;
+      })
+      .filter(Boolean); // 过滤掉无效的正则表达式
+    // 有 referrer 检查 referrer，没有则检查 origin
+    const checking = referrer || origin;
+    const isSafe = secureDomains.some((domain) =>
+      think.isFunction(domain.test) ? domain.test(checking) : domain === checking,
+    );
+    return isSafe;
+  }
   getResource() {
     const filename = this.__filename || __filename;
     const last = filename.lastIndexOf(path.sep);
-    return filename.slice(last + 1, filename.length - last - 4);
+    return filename.slice(last + 1, -3);
   }
   getId() {