Merge pull request #34 from magicpages/develop

v1.6.1

package.json

@@ -20,7 +20,6 @@
     "@types/http-proxy": "^1.17.14",
     "@types/http-proxy-middleware": "^1.0.0",
     "@types/multer": "^1.4.11",
-    "body-parser": "^1.20.2",
     "dotenv": "16.4.5",
     "express": "4.19.2",
     "form-data": "^4.0.0",

src/index.ts

@@ -8,8 +8,8 @@ import {
   listStorageZoneFiles,
   FileDetail,
   errorHtml,
+  SpamRequestCondition,
 } from './util.js';
-import bodyParser from 'body-parser';
 
 dotenv.config();
 
@@ -25,7 +25,6 @@ const BUNNYCDN_STORAGE_ZONE_PASSWORD = process.env.BUNNYCDN_STORAGE_ZONE_PASSWOR
 const BLOCK_KNOWN_SPAM_REQUESTS = process.env.BLOCK_KNOWN_SPAM_REQUESTS !== 'false';
 
 app.set('trust proxy', true);
-app.use(bodyParser.json());
 
 const proxy = httpProxy.createProxyServer({
   target: GHOST_URL,
@@ -76,25 +75,63 @@ proxy.on('error', (err, req, res) => {
 });
 
 if (BLOCK_KNOWN_SPAM_REQUESTS) {
-  app.use((req: Request, res: Response, next: NextFunction) => {
 
+  const knownSpamRequests: SpamRequestCondition[] = [
     /**
      * Spam requests from 2024-08-18
      * @See: https://www.reddit.com/r/Ghost/comments/1eths4f/someone_registers_multiple_users_on_my_selfhosted/
      */
-    if (
-      req.url.startsWith('/members/api/send-magic-link') &&
-      req.body &&
-      req.body.name === 'adwdasddwa'
-    ) {
-      console.log('Blocked spam signup attempt');
-      return res.status(403).send('Forbidden');
-    }
+    {
+      url: '//members/api/send-magic-link',
+      condition: (req: Request) => {
+        return req.body && req.body.name === 'adwdasddwa';
+      },
+    },
+    {
+      url: '/members/api/send-magic-link',
+      condition: (req: Request) => {
+        return req.body && req.body.name === 'adwdasddwa';
+      },
+    },
+    // Additional spam conditions should be added here as necessary. PRs very welcome!
+  ];
 
-    next();
+  app.use((req: Request, res: Response, next: NextFunction) => {
+    // check method and if the url is in the known spam requests
+    if (req.method === 'POST' && knownSpamRequests.some((r) => req.url.startsWith(r.url))) {
+      let body = '';
+
+      req.on('data', (chunk) => {
+        body += chunk;
+      });
+
+      req.on('end', () => {
+        try {
+          req.body = JSON.parse(body);
+
+          for (const spamRequest of knownSpamRequests) {
+            if (
+              req.url.startsWith(spamRequest.url) &&
+              spamRequest.condition(req)
+            ) {
+              console.log('Blocked known spam request:', req.url, req.body);
+              return res.status(403).send('Forbidden');
+            }
+          }
+
+          next();
+        } catch (error) {
+          console.error('Error parsing request body:', error);
+          next();
+        }
+      });
+    } else {
+      next();
+    }
   });
 }
 
+
 app.use((req, res) => {
   proxy.web(req, res, { target: GHOST_URL });
 });

src/util.ts

@@ -1,4 +1,5 @@
 import fetch from 'node-fetch';
+import { Request } from 'express';
 
 // This is a partial interface for the PullZone object,
 // given that we only need the Name property.
@@ -74,4 +75,9 @@ export interface FileDetail {
     StorageZoneId: number,
     Checksum: string | null,
     ReplicatedZones: string[] | null,
-  }
+  }
+
+export interface SpamRequestCondition {
+  url: string;
+  condition: (req: Request) => boolean;
+}

yarn.lock

@@ -125,7 +125,7 @@ asynckit@^0.4.0:
   resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"
   integrity sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==
 
-[email protected], body-parser@^1.20.2:
+[email protected]:
   version "1.20.2"
   resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd"
   integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==