mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 17:00:15 +01:00
d5d188eebf
* chore: slight refactor * fix: prevent message updates unless explicitly owned * refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests * fix: Add path normalization and validation to image request middleware * fix: image validation path security
46 lines
1.4 KiB
JavaScript
46 lines
1.4 KiB
JavaScript
const cookies = require('cookie');
|
|
const jwt = require('jsonwebtoken');
|
|
const { logger } = require('~/config');
|
|
|
|
/**
|
|
* Middleware to validate image request.
|
|
* Must be set by `secureImageLinks` via custom config file.
|
|
*/
|
|
function validateImageRequest(req, res, next) {
|
|
if (!req.app.locals.secureImageLinks) {
|
|
return next();
|
|
}
|
|
|
|
const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
|
|
if (!refreshToken) {
|
|
logger.warn('[validateImageRequest] Refresh token not provided');
|
|
return res.status(401).send('Unauthorized');
|
|
}
|
|
|
|
let payload;
|
|
try {
|
|
payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
|
|
} catch (err) {
|
|
logger.warn('[validateImageRequest]', err);
|
|
return res.status(403).send('Access Denied');
|
|
}
|
|
|
|
const currentTimeInSeconds = Math.floor(Date.now() / 1000);
|
|
if (payload.exp < currentTimeInSeconds) {
|
|
logger.warn('[validateImageRequest] Refresh token expired');
|
|
return res.status(403).send('Access Denied');
|
|
}
|
|
|
|
const fullPath = decodeURIComponent(req.originalUrl);
|
|
const pathPattern = new RegExp(`^/images/${payload.id}/[^/]+$`);
|
|
|
|
if (pathPattern.test(fullPath)) {
|
|
logger.debug('[validateImageRequest] Image request validated');
|
|
next();
|
|
} else {
|
|
logger.warn('[validateImageRequest] Invalid image path');
|
|
res.status(403).send('Access Denied');
|
|
}
|
|
}
|
|
|
|
module.exports = validateImageRequest;
|