修复/api/server-config暴露externalServerAuth的安全问题
This commit is contained in:
@@ -13,11 +13,12 @@ export async function GET(request: NextRequest) {
|
||||
const storageType = process.env.NEXT_PUBLIC_STORAGE_TYPE || 'localstorage';
|
||||
|
||||
// 观影室配置从环境变量读取
|
||||
// 注意:不要暴露 externalServerAuth 到前端,这是敏感凭据
|
||||
const watchRoomConfig = {
|
||||
enabled: process.env.WATCH_ROOM_ENABLED === 'true',
|
||||
serverType: (process.env.WATCH_ROOM_SERVER_TYPE as 'internal' | 'external') || 'internal',
|
||||
externalServerUrl: process.env.WATCH_ROOM_EXTERNAL_SERVER_URL,
|
||||
externalServerAuth: process.env.WATCH_ROOM_EXTERNAL_SERVER_AUTH,
|
||||
// externalServerAuth 不应该暴露给前端
|
||||
};
|
||||
|
||||
// 如果使用 localStorage,返回默认配置
|
||||
|
||||
30
src/app/api/watch-room-auth/route.ts
Normal file
30
src/app/api/watch-room-auth/route.ts
Normal file
@@ -0,0 +1,30 @@
|
||||
/* eslint-disable no-console */
|
||||
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
|
||||
import { getAuthInfoFromCookie } from '@/lib/auth';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
|
||||
/**
|
||||
* GET /api/watch-room-auth
|
||||
*
|
||||
* 需要登录才能访问的接口,返回观影室外部服务器的认证信息
|
||||
* 这样可以避免将敏感的 externalServerAuth 暴露给未登录用户
|
||||
*/
|
||||
export async function GET(request: NextRequest) {
|
||||
console.log('watch-room-auth called: ', request.url);
|
||||
|
||||
// 从 cookie 获取用户信息
|
||||
const authInfo = getAuthInfoFromCookie(request);
|
||||
if (!authInfo || !authInfo.username) {
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
|
||||
}
|
||||
|
||||
// 返回外部服务器认证信息
|
||||
const externalServerAuth = process.env.WATCH_ROOM_EXTERNAL_SERVER_AUTH;
|
||||
|
||||
return NextResponse.json({
|
||||
externalServerAuth: externalServerAuth || null,
|
||||
});
|
||||
}
|
||||
Reference in New Issue
Block a user