maronato/cal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

DDOS mitigation updates

This commit is contained in:
zomars 2022-08-16 13:50:09 -06:00
parent cf9116b5bb
commit 6dcb0c43ab
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apps/web/middleware.ts
View File

@ -1,6 +1,6 @@
import { collectEvents } from "next-collect/server";
// eslint-disable-next-line @next/next/no-server-import-in-page
import { NextMiddleware, NextResponse } from "next/server";
import { NextMiddleware, NextResponse, userAgent } from "next/server";
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
@ -9,11 +9,13 @@ const V2_WHITELIST = ["/settings/admin"];
const middleware: NextMiddleware = async (req) => {
const url = req.nextUrl;
if (url.pathname === "/api/auth/session") {
if (url.pathname.startsWith("/api/auth")) {
const callbackUrl = url.searchParams.get("callbackUrl");
if (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://")) {
const { isBot } = userAgent(req);
if (isBot || (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://"))) {
// DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
return new NextResponse();
const res = new NextResponse("hey", { status: 400, statusText: "Please don't" });
return res;
}
}
/** Display available V2 pages to users who opted-in to early access */