From 4846d8ebe6f170f889de38b4b399419cbb27b692 Mon Sep 17 00:00:00 2001 From: Kristian Polso Date: Wed, 23 May 2018 17:25:16 +0300 Subject: [PATCH] Harden hook --- server.js | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/server.js b/server.js index dd02bdc..a12c526 100644 --- a/server.js +++ b/server.js @@ -29,24 +29,39 @@ app.use(sslRedirect(['other','development', 'staging', 'production'])); app.get('/forward', function(req, res) { + var allowedMethods = ["wallet_send", "resolve", "publish"]; + if(typeof req.query.method != "undefined") { - // We should whitelist the query parameters here + if(allowedMethods.includes(req.query.method)) { + + // We should whitelist the query parameters here + + if(req.query.method == "wallet_send") { + + // Hardcode the wallet_send amount to be always 0.01 always + req.query.amount = 0.01; + + // Whitelist claim ids + var allowedClaims = ["fbdcd44a97810522d23d5f1335b8ca04be9d776c", "de7f7fa33e8d879b2bae7238d2bdf827a39f9301", "5b7c7a202201033d99e1be2930d290c127c0f4fe", "a1372cf5523885f5923237bfe522f02f5f054362"]; + + if(!allowedClaims.includes(req.query.claim_id)) { + res.json({}); + } + + } + + request({ + url: "http://daemon.lbry.tech", + qs: req.query + }, function(error, response, body) { + // Should we parse the body before forwarding? + res.setHeader('Content-Type', 'application/json'); + res.send(body); + }); - // Hardcode the wallet_send amount to be 0.01 always - if(req.query.method == "wallet_send") { - req.query.amount = 0.01; } - request({ - url: "http://daemon.lbry.tech", - qs: req.query - }, function(error, response, body) { - // Should we parse the body before forwarding? - res.setHeader('Content-Type', 'application/json'); - res.send(body); - }) - } });