]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blob - server/controllers/api/oauth-clients.ts
Fix runner api rate limit bypass
[github/Chocobozzz/PeerTube.git] / server / controllers / api / oauth-clients.ts
1 import express from 'express'
2 import { isTestOrDevInstance } from '@server/helpers/core-utils'
3 import { OAuthClientModel } from '@server/models/oauth/oauth-client'
4 import { HttpStatusCode, OAuthClientLocal } from '@shared/models'
5 import { logger } from '../../helpers/logger'
6 import { CONFIG } from '../../initializers/config'
7 import { apiRateLimiter, asyncMiddleware, openapiOperationDoc } from '../../middlewares'
8
9 const oauthClientsRouter = express.Router()
10
11 oauthClientsRouter.use(apiRateLimiter)
12
13 oauthClientsRouter.get('/local',
14 openapiOperationDoc({ operationId: 'getOAuthClient' }),
15 asyncMiddleware(getLocalClient)
16 )
17
18 // Get the client credentials for the PeerTube front end
19 async function getLocalClient (req: express.Request, res: express.Response, next: express.NextFunction) {
20 const serverHostname = CONFIG.WEBSERVER.HOSTNAME
21 const serverPort = CONFIG.WEBSERVER.PORT
22 let headerHostShouldBe = serverHostname
23 if (serverPort !== 80 && serverPort !== 443) {
24 headerHostShouldBe += ':' + serverPort
25 }
26
27 // Don't make this check if this is a test instance
28 if (!isTestOrDevInstance() && req.get('host') !== headerHostShouldBe) {
29 logger.info('Getting client tokens for host %s is forbidden (expected %s).', req.get('host'), headerHostShouldBe)
30 return res.fail({
31 status: HttpStatusCode.FORBIDDEN_403,
32 message: `Getting client tokens for host ${req.get('host')} is forbidden`
33 })
34 }
35
36 const client = await OAuthClientModel.loadFirstClient()
37 if (!client) throw new Error('No client available.')
38
39 const json: OAuthClientLocal = {
40 client_id: client.clientId,
41 client_secret: client.clientSecret
42 }
43 return res.json(json)
44 }
45
46 // ---------------------------------------------------------------------------
47
48 export {
49 oauthClientsRouter
50 }