xinyin025/ChatGPT-Next-Web
1
0
Fork 0
mirror of https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web.git synced 2025-10-03 00:26:40 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #33 from sijinhui/dev

Browse Source 
Dev
This commit is contained in:
sijinhui 2024-03-22 16:55:01 +08:00 committed by GitHub
commit c536ea7d48
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 36 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/api/webdav/[...path]/route.ts
View File

@ -12,17 +12,28 @@ async function handle(
const requestUrl = new URL(req.url);
let endpoint = requestUrl.searchParams.get("endpoint");
if (!endpoint?.endsWith("/")) {
endpoint += "/";
// Validate the endpoint to prevent potential SSRF attacks
if (!endpoint || !endpoint.startsWith("/")) {
return NextResponse.json(
{
error: true,
msg: "Invalid endpoint",
},
{
status: 400,
},
);
}
const endpointPath = params.path.join("/");
const targetPath = `${endpoint}/${endpointPath}`;
// only allow MKCOL, GET, PUT
if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
@ -32,13 +43,13 @@ async function handle(
// for MKCOL request, only allow request ${folder}
if (
req.method == "MKCOL" &&
!new URL(endpointPath).pathname.endsWith(folder)
req.method === "MKCOL" &&
!targetPath.endsWith(folder)
) {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
@ -48,13 +59,13 @@ async function handle(
// for GET request, only allow request ending with fileName
if (
req.method == "GET" &&
!new URL(endpointPath).pathname.endsWith(fileName)
req.method === "GET" &&
!targetPath.endsWith(fileName)
) {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
@ -64,13 +75,13 @@ async function handle(
// for PUT request, only allow request ending with fileName
if (
req.method == "PUT" &&
!new URL(endpointPath).pathname.endsWith(fileName)
req.method === "PUT" &&
!targetPath.endsWith(fileName)
) {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
@ -78,7 +89,7 @@ async function handle(
);
}
const targetUrl = `${endpoint + endpointPath}`;
const targetUrl = `${endpoint}/${endpointPath}`;
const method = req.method;
const shouldNotHaveBody = ["get", "head"].includes(

5
docker-compose.yml
View File

@ -39,6 +39,11 @@ services:
- NEXTAUTH_SECRET=$NEXTAUTH_SECRET
- AUTH_GITHUB_ID=$AUTH_GITHUB_ID
- AUTH_GITHUB_SECRET=$AUTH_GITHUB_SECRET
- EMAIL_SERVER_HOST=$EMAIL_SERVER_HOST
- EMAIL_SERVER_PORT=$EMAIL_SERVER_PORT
- EMAIL_SERVER_USER=$EMAIL_SERVER_USER
- EMAIL_SERVER_PASSWORD=$EMAIL_SERVER_PASSWORD
- EMAIL_FROM=$EMAIL_FROM
- SECURE_COOKIES=$SECURE_COOKIES
volumes:
- /etc/localtime:/etc/localtime

14
lib/auth.ts
View File

@ -10,8 +10,8 @@ const SECURE_COOKIES:boolean = !!process.env.SECURE_COOKIES;
export const authOptions: NextAuthOptions = {
debug: true,
// debug: !SECURE_COOKIES,
// debug: true,
debug: !SECURE_COOKIES,
useSecureCookies: SECURE_COOKIES,
secret: process.env.NEXTAUTH_SECRET,
providers: [
@ -76,11 +76,11 @@ export const authOptions: NextAuthOptions = {
}
})
],
pages: {
signIn: `/login`,
// verifyRequest: `/login`,
error: "/login", // Error code passed in query string as ?error=
},
// pages: {
// signIn: `/login`,
// // verifyRequest: `/login`,
// error: "/login", // Error code passed in query string as ?error=
// },
adapter: PrismaAdapter(prisma),
session: { strategy: "jwt", maxAge: 3 * 24 * 60 * 60 },
cookies: {