chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
Deploy Dashboard / deploy (push) Successful in 1m48s
This commit is contained in:
@@ -41,7 +41,7 @@ async def security_headers(request: Request, call_next):
|
||||
response.headers["X-Frame-Options"] = "DENY"
|
||||
response.headers["X-XSS-Protection"] = "1; mode=block"
|
||||
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
|
||||
response.headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss://nas.jimmygan.com wss://nas.jimmygan.com:8443; frame-ancestors 'none'"
|
||||
response.headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss: ws:; frame-ancestors 'none'"
|
||||
return response
|
||||
|
||||
# Audit logger
|
||||
@@ -66,6 +66,8 @@ async def audit_log(request: Request, call_next):
|
||||
if auth_header.startswith("Bearer "):
|
||||
payload = jwt.decode(auth_header[7:], SECRET_KEY, algorithms=[ALGORITHM])
|
||||
user = payload.get("sub", "-")
|
||||
except jwt.PyJWTError:
|
||||
user = "Invalid/Malformed Token"
|
||||
except Exception:
|
||||
pass
|
||||
_audit_logger.info(
|
||||
@@ -116,8 +118,13 @@ async def health():
|
||||
|
||||
@app.get("/api/client-ip")
|
||||
async def client_ip(request: Request):
|
||||
ip = request.headers.get("x-forwarded-for", "").split(",")[0].strip() or request.client.host
|
||||
lan = ip.startswith("192.168.31.") or (ip.startswith("100.") and _router_reachable())
|
||||
ip = request.client.host
|
||||
if ip in ("127.0.0.1", "::1"):
|
||||
forwarded = request.headers.get("x-forwarded-for", "").split(",")[0].strip()
|
||||
if forwarded:
|
||||
ip = forwarded
|
||||
import config
|
||||
lan = config.is_lan_ip(ip) if not ip.startswith("100.") else config.is_lan_ip(ip) and _router_reachable()
|
||||
return {"lan": lan}
|
||||
|
||||
def _router_reachable():
|
||||
|
||||
Reference in New Issue
Block a user