johanels/photoprism
1
0
Fork 0
mirror of https://github.com/photoprism/photoprism.git synced 2025-12-12 00:34:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

API: Only allow CDNs to cache GET, HEAD, and OPTIONS requests #3931

Browse Source 
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer
2024-01-16 16:17:16 +01:00
parent e5aa76730f
commit c3b9b73d1d
10 changed files with 223 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/api/session_oauth.go
View File

@@ -28,13 +28,19 @@ func CreateOAuthToken(router *gin.RouterGroup) {
// Disable caching of responses.
c.Header(header.CacheControl, header.CacheControlNoStore)
// Prevent CDNs from caching this endpoint.
if header.IsCdn(c.Request) {
c.AbortWithStatus(http.StatusNotFound)
return
}
// Get client IP address for logs and rate limiting checks.
clientIp := ClientIP(c)
// Abort if running in public mode.
if get.Config().Public() {
// Abort if running in public mode.
event.AuditErr([]string{clientIp, "create client session", "disabled in public mode"})
Abort(c, http.StatusForbidden, i18n.ErrForbidden)
AbortForbidden(c)
return
}
@@ -131,6 +137,12 @@ func RevokeOAuthToken(router *gin.RouterGroup) {
// Disable caching of responses.
c.Header(header.CacheControl, header.CacheControlNoStore)
// Prevent CDNs from caching this endpoint.
if header.IsCdn(c.Request) {
c.AbortWithStatus(http.StatusNotFound)
return
}
// Get client IP address for logs and rate limiting checks.
clientIp := ClientIP(c)