k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-22 14:51:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: require auth for file and photo uploads

Browse Source 
/uploads/files/ and /uploads/photos/ now require a valid Bearer token.
Covers and avatars remain public (needed for shared pages and profiles).
Prevents unauthenticated access to uploaded documents and trip photos.
This commit is contained in:
Maurice
2026-03-30 20:51:38 +02:00
parent 19c9e17884
commit 4ddfa92c14
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/index.ts
+4 -3
View File
@@ -109,13 +109,14 @@ if (DEBUG) {
} }
// Avatars are public (shown on login, sharing screens) // Avatars are public (shown on login, sharing screens)
import { authenticate } from './middleware/auth';
app.use('/uploads/avatars', express.static(path.join(__dirname, '../uploads/avatars'))); app.use('/uploads/avatars', express.static(path.join(__dirname, '../uploads/avatars')));
app.use('/uploads/covers', express.static(path.join(__dirname, '../uploads/covers'))); app.use('/uploads/covers', express.static(path.join(__dirname, '../uploads/covers')));
// All other uploads require authentication // Files and photos require authentication (covers and avatars are public — served statically above)
app.get('/uploads/:type/:filename', (req: Request, res: Response) => { app.get('/uploads/:type/:filename', authenticate, (req: Request, res: Response) => {
const { type, filename } = req.params; const { type, filename } = req.params;
const allowedTypes = ['covers', 'files', 'photos']; const allowedTypes = ['files', 'photos'];
if (!allowedTypes.includes(type)) return res.status(404).send('Not found'); if (!allowedTypes.includes(type)) return res.status(404).send('Not found');
// Prevent path traversal // Prevent path traversal