CraftAttack/website
4
0
Fork 0
Code Issues 3 Pull Requests Actions Wiki Activity

add optional env variable to protect the public report creation endpoint with a secret
All checks were successful
delpoy / build-and-deploy (push) Successful in 45s
Details

Browse Source
This commit is contained in:
bytedream 2023-09-30 01:10:50 +02:00
parent 3713c7eaba
commit b7177708a7
3 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.env.example
View File

@ -1,5 +1,6 @@
DATABASE_URI=sqlite://./database.db
ADMIN_USER=admin
ADMIN_PASSWORD=admin
REPORT_SECRET=
PUBLIC_START_DATE=2023-12-26T00:00:00+0200
PUBLIC_BASE_PATH=

19
README.md
View File

@ -29,12 +29,13 @@ $ node -r dotenv/config build/index.js
Configurations can be done with env variables
| Name | Description |
| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| `HOST` | Host the server should listen on |
| `PORT` | Port the server should listen on |
| `DATABASE_URI` | URI to the database as a connection string. Supported databases are [sqlite](https://www.sqlite.org/index.html) and [mariadb](https://mariadb.org/) |
| `ADMIN_USER` | Name for the root admin user. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set |
| `ADMIN_PASSWORD` | Password for the root admin user defined via `ADMIN_USER`. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set |
| `PUBLIC_BASE_PATH` | If running the website on a sub-path, set this variable to the path so that assets etc. can find the correct location |
| `PUBLIC_START_DATE` | The start date when the event starts |
| Name | Description |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `HOST` | Host the server should listen on |
| `PORT` | Port the server should listen on |
| `DATABASE_URI` | URI to the database as a connection string. Supported databases are [sqlite](https://www.sqlite.org/index.html) and [mariadb](https://mariadb.org/) |
| `ADMIN_USER` | Name for the root admin user. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set |
| `ADMIN_PASSWORD` | Password for the root admin user defined via `ADMIN_USER`. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set |
| `REPORT_SECRET` | Secret which may be required (as `?secret=<secret>` query parameter) to create reports on the public endpoint. Isn't required to be in the request if this variable is empty |
| `PUBLIC_BASE_PATH` | If running the website on a sub-path, set this variable to the path so that assets etc. can find the correct location |
| `PUBLIC_START_DATE` | The start date when the event starts |

5
src/routes/report/+server.ts
View File

@ -1,9 +1,12 @@
import type { RequestHandler } from '@sveltejs/kit';
import { Report, User } from '$lib/server/database';
import * as crypto from 'crypto';
import { env } from '$env/dynamic/public';
import { env } from '$env/dynamic/private';
export const POST = (async ({ request, url }) => {
if (env.REPORT_SECRET && url.searchParams.get('secret') !== env.REPORT_SECRET)
return new Response(null, { status: 401 });
const data: { reporter: string; reported: string; reason: string } = await request.json();
if (data.reporter == null || data.reported == null || data.reason == null)