summaryrefslogtreecommitdiff
path: root/Run/Que/Server.hs
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2020-04-01 17:16:56 -0700
committerBen Sima <ben@bsima.me>2020-04-01 18:34:27 -0700
commit67303d8890806a817e5eef34582900f37d5c03eb (patch)
tree4c0d573d88e45d1a1474cb25421e23a031ee6f05 /Run/Que/Server.hs
parenta4f34429f343b775efb69971267980c7d42c9690 (diff)
Make pub the only publically-writable namespace
Diffstat (limited to 'Run/Que/Server.hs')
-rw-r--r--Run/Que/Server.hs19
1 files changed, 16 insertions, 3 deletions
diff --git a/Run/Que/Server.hs b/Run/Que/Server.hs
index 218c821..38c6bdc 100644
--- a/Run/Que/Server.hs
+++ b/Run/Que/Server.hs
@@ -92,6 +92,7 @@ routes = do
app . modify <| upsertNamespace ns
q <- app <| que ns qp
poll <- Scotty.param "poll" !: (pure . const False)
+ guardNs ns ["pub", "_"]
case poll of
True -> Scotty.stream $ streamQue q
_ -> do
@@ -106,19 +107,31 @@ routes = do
xRealIP <- Scotty.header "X-Real-IP"
host <- Scotty.header "Host"
(ns, qp) <- extract
- -- Only allow my IP or localhost to access '_' namespace
+ -- Only allow my IP or localhost to publish to '_' namespace
when ("_" == ns) <| case (xFwdHost, xRealIP, host) of
(Just "73.222.221.62", _, _) -> Scotty.status Http.ok200
(_, Just "73.222.221.62", _) -> Scotty.status Http.ok200
- (Just "::1", Just "::1", Just "localhost") -> Scotty.status Http.ok200
+ (_, _, Just ("localhost:3000")) -> Scotty.status Http.ok200
_ -> Scotty.status Http.methodNotAllowed405
- >> Scotty.text "error 405 not allowed: _ is a reserved namespace"
+ >> Scotty.text "not allowed: _ is a reserved namespace"
+ guardNs ns ["pub"]
+ -- passed all auth checks
app . modify <| upsertNamespace ns
q <- app <| que ns qp
qdata <- Scotty.body
liftIO <| pushQue (BSL.toStrict qdata) q
return ()
+-- | Given `guardNs ns whitelist`, if `ns` is not in the `whitelist`
+-- list, return a 405 error.
+guardNs :: Text -> [Text] -> Scotty.ActionT Text App ()
+guardNs ns whitelist = when (not <| ns `elem` whitelist) <| do
+ Scotty.status Http.methodNotAllowed405
+ Scotty.text
+ <| "not allowed: use 'pub' namespace or signup to protect '"
+ <> ns
+ <> "' at https://que.run"
+
-- | recover from a scotty-thrown exception.
(!:)
:: Scotty.ActionT Text App a -- ^ action that might throw