bulltrackers-module 1.0.621 → 1.0.622
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -27,6 +27,10 @@ function createApiV2App(config, dependencies) {
|
|
|
27
27
|
const app = express();
|
|
28
28
|
const { logger } = dependencies;
|
|
29
29
|
|
|
30
|
+
// Trust proxy - Required when behind a load balancer/proxy (e.g., Google Cloud Functions)
|
|
31
|
+
// This allows express-rate-limit to correctly identify client IPs from X-Forwarded-For headers
|
|
32
|
+
app.set('trust proxy', true);
|
|
33
|
+
|
|
30
34
|
// CORS Configuration - Restrict to specific origins
|
|
31
35
|
app.use(cors({
|
|
32
36
|
origin: function (origin, callback) {
|
|
@@ -113,7 +113,8 @@ const resolveUserIdentity = async (req, res, next) => {
|
|
|
113
113
|
// SECURITY: For private routes, require Firebase Auth to prevent IDOR attacks
|
|
114
114
|
if (!isPublic && !authenticatedUserCid && !hasFirebaseAuth) {
|
|
115
115
|
// Private route without authentication - reject immediately
|
|
116
|
-
|
|
116
|
+
// This is expected behavior - the security system is working correctly
|
|
117
|
+
console.log(`[Identity] Rejected unauthorized access to private route ${req.path} (no Firebase Auth token provided)`);
|
|
117
118
|
return res.status(401).json({
|
|
118
119
|
error: "Authentication required. Please provide a valid Firebase ID token in the Authorization header."
|
|
119
120
|
});
|