This commit is contained in:
2026-05-15 04:39:25 +02:00
parent d554b1fc3b
commit f4d9d45338

View File

@@ -689,6 +689,20 @@ process.on('uncaughtException', err => {
}
});
// Internal auth check for Nginx auth_request (protects files served by Nginx)
app.use(async (req, res) => {
if (req.url.pathname === '/api/internal/auth-check') {
const isProtected = getProtectFiles() || cfg.websrv.private_society;
if (isProtected && !req.session) {
res.writeHead(401).end('Unauthorized');
} else {
res.writeHead(200).end('OK');
}
req.url.pathname = '/auth_check_bypass';
return;
}
});
// CSRF validation helper — used by route handlers that have already populated req.session
// NOTE: Cannot be used in flummpress app.use() middlewares for upload/avatar bypass handlers
// because flummpress runs ALL middlewares in parallel (Promise.all), so the session