Merge security/web-sandbox-secret

This commit is contained in:
orosmatthew 2024-03-11 17:39:43 -04:00
parent 2dabb4f9bc
commit 59ff0b4560
6 changed files with 30 additions and 13 deletions

View File

@ -1,2 +1,3 @@
ADMIN_URL="http://localhost:5173" ADMIN_URL="http://127.0.0.1:3000"
REPO_URL="http://localhost:7006" REPO_URL="http://127.0.0.1:7006"
WEB_SANDBOX_SECRET="supersecret"

View File

@ -7,4 +7,5 @@ services:
environment: environment:
- ADMIN_URL=${ADMIN_URL} - ADMIN_URL=${ADMIN_URL}
- REPO_URL=${REPO_URL} - REPO_URL=${REPO_URL}
- WEB_SANDBOX_SECRET=${WEB_SANDBOX_SECRET}
network_mode: 'host' network_mode: 'host'

View File

@ -49,7 +49,10 @@ enum SubmissionProcessingResult {
} }
async function fetchQueuedSubmission(): Promise<SubmissionGetData | undefined> { async function fetchQueuedSubmission(): Promise<SubmissionGetData | undefined> {
const res = await fetch(submissionApiUrl, { method: 'GET' }); const res = await fetch(submissionApiUrl, {
method: 'GET',
headers: { secret: process.env.WEB_SANDBOX_SECRET! }
});
if (res.status !== 200) { if (res.status !== 200) {
console.error( console.error(
`Failed to fetch from ${submissionApiUrl} with status: ${res.status} ${res.statusText}` `Failed to fetch from ${submissionApiUrl} with status: ${res.status} ${res.statusText}`
@ -142,7 +145,7 @@ async function cloneAndRun(submissionData: SubmissionGetData) {
}; };
const res = await fetch(urlJoin(adminUrl, 'api/submission'), { const res = await fetch(urlJoin(adminUrl, 'api/submission'), {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json', secret: process.env.WEB_SANDBOX_SECRET! },
body: JSON.stringify(postBodyObject) body: JSON.stringify(postBodyObject)
}); });
if (res.status !== 200) { if (res.status !== 200) {
@ -183,7 +186,11 @@ function printRunResult(runResult: RunResult) {
} }
function validateEnv(): boolean { function validateEnv(): boolean {
return process.env.ADMIN_URL !== undefined && process.env.REPO_URL !== undefined; return (
process.env.ADMIN_URL !== undefined &&
process.env.REPO_URL !== undefined &&
process.env.WEB_SANDBOX_SECRET !== undefined
);
} }
if (!validateEnv()) { if (!validateEnv()) {

View File

@ -1,4 +1,3 @@
DATABASE_URL=postgresql://bwcontest:password@127.0.0.1:5432/bwcontest DATABASE_URL=postgresql://bwcontest:password@127.0.0.1:5432/bwcontest
GIT_PORT=7006 ORIGIN=http://127.0.0.1:3000
WEB_PORT=3000 WEB_SANDBOX_SECRET="supersecret"
ORIGIN=http://127.0.0.1

View File

@ -14,12 +14,13 @@ services:
context: ../ context: ../
dockerfile: ./web/Dockerfile dockerfile: ./web/Dockerfile
ports: ports:
- ${WEB_PORT}:${WEB_PORT} - 3000:3000
- ${GIT_PORT}:${GIT_PORT} - 7006:7006
environment: environment:
- DATABASE_URL=${DATABASE_URL} - DATABASE_URL=${DATABASE_URL}
- GIT_PORT=${GIT_PORT} - GIT_PORT=7006
- ORIGIN=${ORIGIN}:${WEB_PORT} - ORIGIN=${ORIGIN}
- WEB_SANDBOX_SECRET=${WEB_SANDBOX_SECRET}
volumes: volumes:
- ./repo:/app/repo - ./repo:/app/repo
depends_on: depends_on:

View File

@ -5,7 +5,11 @@ import { z } from 'zod';
import type { RequestHandler } from './$types'; import type { RequestHandler } from './$types';
import * as Diff from 'diff'; import * as Diff from 'diff';
export const GET = (async () => { export const GET = (async ({ request }) => {
const secret = request.headers.get('secret');
if (secret === null || secret !== process.env.WEB_SANDBOX_SECRET!) {
throw error(401, 'Unauthorized');
}
const submissions = await db.submission.findMany({ const submissions = await db.submission.findMany({
where: { state: SubmissionState.Queued }, where: { state: SubmissionState.Queued },
orderBy: { createdAt: 'asc' }, orderBy: { createdAt: 'asc' },
@ -56,6 +60,10 @@ const submissionPostData = z
.strict(); .strict();
export const POST = (async ({ request }) => { export const POST = (async ({ request }) => {
const secret = request.headers.get('secret');
if (secret === null || secret !== process.env.WEB_SANDBOX_SECRET!) {
throw error(401, 'Unauthorized');
}
const requestJson = await request.json(); const requestJson = await request.json();
const data = submissionPostData.safeParse(requestJson); const data = submissionPostData.safeParse(requestJson);
if (!data.success) { if (!data.success) {