ttt/transfer
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Disable /admin* endpoints when no adminPass is set

Browse Source
This commit is contained in:
Christoph Wiechert
2017-07-13 20:19:13 +02:00
parent 7de25df051
commit b816787b0f
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/endpoints.js
View File

@@ -55,11 +55,13 @@ app.get('/config.json', (req, res) => {
}); });
app.get('/admin', (req, res) => { app.get('/admin', (req, res, next) => {
if(!config.adminPass) return next();
res.sendFile(path.join(__dirname, '../public/html/admin.html')); res.sendFile(path.join(__dirname, '../public/html/admin.html'));
}); });
app.get('/admin/data.json', (req, res) => { app.get('/admin/data.json', (req, res, next) => {
if(!config.adminPass || !req.get('x-passwd')) return res.status(401).send('Unauthorized'); if(!config.adminPass) return next();
if(!req.get('x-passwd')) return res.status(401).send('Unauthorized');
if(req.get('x-passwd') !== config.adminPass) return res.status(403).send('Forbidden'); if(req.get('x-passwd') !== config.adminPass) return res.status(403).send('Forbidden');
const result = _.chain(db.db) const result = _.chain(db.db)
@@ -77,7 +79,10 @@ app.get('/admin/data.json', (req, res) => {
}) })
.value(); .value();
res.json(result); // make bruteforce attack more difficult
setTimeout(() => {
res.json(result);
},250);
}); });