From 52d332450ba38899b0058482913ee861583a91ab Mon Sep 17 00:00:00 2001
From: Mestima <mestima@nilored.ru>
Date: Wed, 26 Aug 2020 18:53:08 +0300
Subject: [PATCH] node webpart request security fix

---
 web/nodejs/config_sample.json |  1 +
 web/nodejs/dist/index.js      | 12 ++++++++++++
 web/nodejs/index.ts           | 14 ++++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/web/nodejs/config_sample.json b/web/nodejs/config_sample.json
index 9716ce6..3ebf68d 100644
--- a/web/nodejs/config_sample.json
+++ b/web/nodejs/config_sample.json
@@ -3,5 +3,6 @@
 	"token": "",
 	"channel": "",
 	"webhook": "",
+	"security": true,
 	"debug": false
 }
\ No newline at end of file
diff --git a/web/nodejs/dist/index.js b/web/nodejs/dist/index.js
index f799946..3d7f3fb 100644
--- a/web/nodejs/dist/index.js
+++ b/web/nodejs/dist/index.js
@@ -12,6 +12,7 @@ const port = config.port;
 const webhook = config.webhook;
 const channel = config.channel;
 const token = config.token;
+const security = config.security;
 const debug = config.debug;
 app.post("/send", (req, res) => {
     const content = req.query.content;
@@ -42,6 +43,17 @@ app.post("/send", (req, res) => {
     });
 });
 app.get("/request", (req, res) => {
+    if (security) {
+        const postToken = req.query.token;
+        const postChannel = req.query.channel;
+        if (channel != postChannel || token != postToken) {
+            const err = `error: unknown token or channel`;
+            if (debug) {
+                console.log(err);
+            }
+            return res.send(err);
+        }
+    }
     node_fetch_1.default(`https://discordapp.com/api/channels/${channel}/messages?token=Bot ${token}`)
         .then(discordRes => discordRes.json())
         .then(json => {
diff --git a/web/nodejs/index.ts b/web/nodejs/index.ts
index 7b241a9..71d3b6c 100644
--- a/web/nodejs/index.ts
+++ b/web/nodejs/index.ts
@@ -10,6 +10,8 @@ const port = config.port;
 const webhook = config.webhook;
 const channel = config.channel;
 const token = config.token;
+
+const security = config.security;
 const debug = config.debug;
 
 app.post("/send", (req, res) => {
@@ -45,6 +47,18 @@ app.post("/send", (req, res) => {
 });
 
 app.get("/request", (req, res) => {
+	if (security) {
+		const postToken: any = req.query.token;
+		const postChannel: any = req.query.channel;
+		if (channel != postChannel || token != postToken) {
+			const err = `error: unknown token or channel`;
+			if (debug) {
+				console.log(err);
+			}
+			return res.send(err);
+		}
+	}
+
 	fetch(`https://discordapp.com/api/channels/${channel}/messages?token=Bot ${token}`)
 		.then(discordRes => discordRes.json())
 		.then(json => {