From f4d9d45338cb3434b26acc997c89260a9a49b2be Mon Sep 17 00:00:00 2001 From: Kibi Kelburton Date: Fri, 15 May 2026 04:39:25 +0200 Subject: [PATCH] test --- src/index.mjs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/index.mjs b/src/index.mjs index 6f9141b..1488d82 100644 --- a/src/index.mjs +++ b/src/index.mjs @@ -689,6 +689,20 @@ process.on('uncaughtException', err => { } }); + // Internal auth check for Nginx auth_request (protects files served by Nginx) + app.use(async (req, res) => { + if (req.url.pathname === '/api/internal/auth-check') { + const isProtected = getProtectFiles() || cfg.websrv.private_society; + if (isProtected && !req.session) { + res.writeHead(401).end('Unauthorized'); + } else { + res.writeHead(200).end('OK'); + } + req.url.pathname = '/auth_check_bypass'; + return; + } + }); + // CSRF validation helper — used by route handlers that have already populated req.session // NOTE: Cannot be used in flummpress app.use() middlewares for upload/avatar bypass handlers // because flummpress runs ALL middlewares in parallel (Promise.all), so the session