From 7cc042a3321aa9424995ee76aea4140855ba59f7 Mon Sep 17 00:00:00 2001 From: casperiv0 <53900565+casperiv0@users.noreply.github.com> Date: Fri, 14 Jun 2024 13:08:30 +0200 Subject: [PATCH] fix: block global API token from /user --- apps/api/src/middlewares/auth/utils/utils.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/api/src/middlewares/auth/utils/utils.ts b/apps/api/src/middlewares/auth/utils/utils.ts index 7beb4b2e8..665d1f956 100644 --- a/apps/api/src/middlewares/auth/utils/utils.ts +++ b/apps/api/src/middlewares/auth/utils/utils.ts @@ -15,7 +15,10 @@ export function isRouteDisabled(options: Pick) { const url = options.req.originalUrl.toLowerCase(); const requestMethod = options.req.method as Method; - const route = DISABLED_API_TOKEN_ROUTES.find(([r]) => url.endsWith(r)); + const route = DISABLED_API_TOKEN_ROUTES.find(([pathname]) => { + const urlPathname = new URL(url, "https://example.com").pathname.toLowerCase(); + return urlPathname.endsWith(pathname.toLowerCase()); + }); if (route) { const [, methods] = route;