blsmedia/bot
2
0
Fork 0
Code Activity

🛂 Enable allowed origins security to depreceated sendMessage endpoints

Browse Source
This commit is contained in:
Baptiste Arnaud
2024-01-19 14:41:43 +01:00
parent 29bd5f1539
commit b438c174c4
2 changed files with 57 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts
View File

@ -29,7 +29,7 @@ export const sendMessageV1 = publicProcedure
.mutation( .mutation(
async ({ async ({
input: { sessionId, message, startParams, clientLogs }, input: { sessionId, message, startParams, clientLogs },
ctx: { user }, ctx: { user, origin, res },
}) => { }) => {
const session = sessionId ? await getSession(sessionId) : null const session = sessionId ? await getSession(sessionId) : null
@ -104,6 +104,21 @@ export const sendMessageV1 = publicProcedure
message, message,
}) })
if (startParams.isPreview || typeof startParams.typebot !== 'string') {
if (
newSessionState.allowedOrigins &&
newSessionState.allowedOrigins.length > 0
) {
if (origin && newSessionState.allowedOrigins.includes(origin))
res.setHeader('Access-Control-Allow-Origin', origin)
else
res.setHeader(
'Access-Control-Allow-Origin',
newSessionState.allowedOrigins[0]
)
}
}
const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs
const session = startParams?.isOnlyRegistering const session = startParams?.isOnlyRegistering
@ -137,6 +152,19 @@ export const sendMessageV1 = publicProcedure
clientSideActions, clientSideActions,
} }
} else { } else {
if (
session.state.allowedOrigins &&
session.state.allowedOrigins.length > 0
) {
if (origin && session.state.allowedOrigins.includes(origin))
res.setHeader('Access-Control-Allow-Origin', origin)
else
res.setHeader(
'Access-Control-Allow-Origin',
session.state.allowedOrigins[0]
)
}
const { const {
messages, messages,
input, input,

29
apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts
View File

@ -29,7 +29,7 @@ export const sendMessageV2 = publicProcedure
.mutation( .mutation(
async ({ async ({
input: { sessionId, message, startParams, clientLogs }, input: { sessionId, message, startParams, clientLogs },
ctx: { user }, ctx: { user, res, origin },
}) => { }) => {
const session = sessionId ? await getSession(sessionId) : null const session = sessionId ? await getSession(sessionId) : null
@ -104,6 +104,21 @@ export const sendMessageV2 = publicProcedure
message, message,
}) })
if (startParams.isPreview || typeof startParams.typebot !== 'string') {
if (
newSessionState.allowedOrigins &&
newSessionState.allowedOrigins.length > 0
) {
if (origin && newSessionState.allowedOrigins.includes(origin))
res.setHeader('Access-Control-Allow-Origin', origin)
else
res.setHeader(
'Access-Control-Allow-Origin',
newSessionState.allowedOrigins[0]
)
}
}
const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs
const session = startParams?.isOnlyRegistering const session = startParams?.isOnlyRegistering
@ -137,6 +152,18 @@ export const sendMessageV2 = publicProcedure
clientSideActions, clientSideActions,
} }
} else { } else {
if (
session.state.allowedOrigins &&
session.state.allowedOrigins.length > 0
) {
if (origin && session.state.allowedOrigins.includes(origin))
res.setHeader('Access-Control-Allow-Origin', origin)
else
res.setHeader(
'Access-Control-Allow-Origin',
session.state.allowedOrigins[0]
)
}
const { const {
messages, messages,
input, input,