ijihun-planner-studio 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/server.mjs +11 -4
package/package.json
CHANGED
package/server.mjs
CHANGED
|
@@ -362,11 +362,17 @@ function isUnsafeMethod(method) {
|
|
|
362
362
|
return !["GET", "HEAD", "OPTIONS"].includes(method || "GET");
|
|
363
363
|
}
|
|
364
364
|
|
|
365
|
-
function originAllowed(req) {
|
|
365
|
+
function originAllowed(req, options = {}) {
|
|
366
366
|
const origin = req.headers.origin;
|
|
367
367
|
if (!origin) return true;
|
|
368
368
|
const normalized = normalizeOrigin(origin);
|
|
369
|
-
if (!normalized)
|
|
369
|
+
if (!normalized) {
|
|
370
|
+
return Boolean(
|
|
371
|
+
options.allowNullOrigin
|
|
372
|
+
&& String(origin).trim() === "null"
|
|
373
|
+
&& trustedOrigins.has(requestOrigin(req))
|
|
374
|
+
);
|
|
375
|
+
}
|
|
370
376
|
return trustedOrigins.has(normalized) || normalized === requestOrigin(req);
|
|
371
377
|
}
|
|
372
378
|
|
|
@@ -524,9 +530,10 @@ async function handleAuth(req, res, url) {
|
|
|
524
530
|
else sendJson(res, 503, { ok: false, error: "Owner authentication is not configured" }, corsHeaders(req));
|
|
525
531
|
return true;
|
|
526
532
|
}
|
|
527
|
-
if (!originAllowed(req)) {
|
|
533
|
+
if (!originAllowed(req, { allowNullOrigin: formLogin })) {
|
|
528
534
|
logOriginBlocked(req, url.pathname);
|
|
529
|
-
|
|
535
|
+
if (formLogin) redirect(res, "/login?error=1");
|
|
536
|
+
else sendJson(res, 403, { ok: false, error: "Origin not allowed" }, corsHeaders(req));
|
|
530
537
|
return true;
|
|
531
538
|
}
|
|
532
539
|
|