weseek__growi/apps/app/src/server/middlewares/certify-origin.ts

import { ErrorV3 } from '@growi/core/dist/models';
import type { NextFunction, Response } from 'express';

import type { AccessTokenParserReq } from '~/server/middlewares/access-token-parser/interfaces';
import { configManager } from '~/server/service/config-manager';
import isSimpleRequest from '~/server/util/is-simple-request';
import loggerFactory from '~/utils/logger';

const logger = loggerFactory('growi:middleware:certify-origin');

type Apiv3ErrFunction = (error: ErrorV3) => void;

const certifyOrigin = (req: AccessTokenParserReq, res: Response & { apiv3Err: Apiv3ErrFunction }, next: NextFunction): void => {

  const appSiteUrl = configManager.getConfig('app:siteUrl');

  const isSameOriginReq = req.headers.origin == null || req.headers.origin === appSiteUrl;
  const accessToken = req.query.access_token ?? req.body.access_token;

  if (!isSameOriginReq && req.headers.origin != null && isSimpleRequest(req)) {
    const message = 'Invalid request (origin check failed but simple request)';
    logger.error(message);
    return res.apiv3Err(new ErrorV3(message));
  }

  if (!isSameOriginReq && accessToken == null && !isSimpleRequest(req)) {
    const message = 'Invalid request (origin check failed and no access token)';
    logger.error(message);
    return res.apiv3Err(new ErrorV3(message));
  }

  next();
};
export default certifyOrigin;