saulteafarmer/plebdevs
1
0
Fork 0
mirror of https://github.com/AustinKelsay/plebdevs.git synced 2025-06-06 18:31:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Trying x-vercel-protection-bypass to prevent external requests

Browse Source
This commit is contained in:
austinkelsay 2024-09-30 19:23:15 -05:00
parent a1f47e0dd3
commit b55a3cd892
1 changed files with 5 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/middleware.js
View File

@ -2,11 +2,6 @@ import { NextResponse } from 'next/server';
import { Ratelimit } from '@upstash/ratelimit'; import { Ratelimit } from '@upstash/ratelimit';
import { kv } from '@vercel/kv'; import { kv } from '@vercel/kv';
const FRONTEND_HOSTNAME = process.env.FRONTEND_HOSTNAME
const FRONTEND_STAGING_HOSTNAME = process.env.FRONTEND_STAGING_HOSTNAME
const BACKEND_URL = process.env.BACKEND_URL
const BACKEND_STAGING_URL = process.env.BACKEND_STAGING_URL
const ratelimit = new Ratelimit({ const ratelimit = new Ratelimit({
redis: kv, redis: kv,
limiter: Ratelimit.slidingWindow(5, '10 s'), limiter: Ratelimit.slidingWindow(5, '10 s'),
@ -19,8 +14,8 @@ export const config = {
export default async function combinedMiddleware(request) { export default async function combinedMiddleware(request) {
const ip = request.ip ?? '127.0.0.1'; const ip = request.ip ?? '127.0.0.1';
const pathname = request.nextUrl.pathname; const pathname = request.nextUrl.pathname;
const host = request.headers.get('host'); const vercelBypass = request.headers.get('x-vercel-protection-bypass');
console.log("Host", host)
// Allow access to .well-known paths // Allow access to .well-known paths
if (pathname.startsWith('/.well-known')) { if (pathname.startsWith('/.well-known')) {
const { success } = await ratelimit.limit(ip); const { success } = await ratelimit.limit(ip);
@ -29,23 +24,15 @@ export default async function combinedMiddleware(request) {
: NextResponse.redirect(new URL('/blocked', request.url)); : NextResponse.redirect(new URL('/blocked', request.url));
} }
// Check if the request is coming from allowed hosts // Check if the request is coming from a Vercel deployment
const allowedHosts = [ if (!vercelBypass) {
FRONTEND_HOSTNAME,
FRONTEND_STAGING_HOSTNAME,
new URL(BACKEND_URL).host,
new URL(BACKEND_STAGING_URL).host
].filter(Boolean);
console.log("Allowed hosts", allowedHosts)
if (!allowedHosts.includes(host)) {
return new NextResponse(JSON.stringify({ error: 'Forbidden' }), { return new NextResponse(JSON.stringify({ error: 'Forbidden' }), {
status: 403, status: 403,
headers: { 'Content-Type': 'application/json' } headers: { 'Content-Type': 'application/json' }
}); });
} }
// Apply rate limiting for allowed hosts // Apply rate limiting for allowed requests
const { success } = await ratelimit.limit(ip); const { success } = await ratelimit.limit(ip);
return success return success
? NextResponse.next() ? NextResponse.next()