Merge security/web-sandbox-secret

This commit is contained in:
orosmatthew 2024-03-11 17:39:43 -04:00
parent 2dabb4f9bc
commit 59ff0b4560
6 changed files with 30 additions and 13 deletions

View File

@ -1,2 +1,3 @@
ADMIN_URL="http://localhost:5173"
REPO_URL="http://localhost:7006"
ADMIN_URL="http://127.0.0.1:3000"
REPO_URL="http://127.0.0.1:7006"
WEB_SANDBOX_SECRET="supersecret"

View File

@ -7,4 +7,5 @@ services:
environment:
- ADMIN_URL=${ADMIN_URL}
- REPO_URL=${REPO_URL}
- WEB_SANDBOX_SECRET=${WEB_SANDBOX_SECRET}
network_mode: 'host'

View File

@ -49,7 +49,10 @@ enum SubmissionProcessingResult {
}
async function fetchQueuedSubmission(): Promise<SubmissionGetData | undefined> {
const res = await fetch(submissionApiUrl, { method: 'GET' });
const res = await fetch(submissionApiUrl, {
method: 'GET',
headers: { secret: process.env.WEB_SANDBOX_SECRET! }
});
if (res.status !== 200) {
console.error(
`Failed to fetch from ${submissionApiUrl} with status: ${res.status} ${res.statusText}`
@ -142,7 +145,7 @@ async function cloneAndRun(submissionData: SubmissionGetData) {
};
const res = await fetch(urlJoin(adminUrl, 'api/submission'), {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
headers: { 'Content-Type': 'application/json', secret: process.env.WEB_SANDBOX_SECRET! },
body: JSON.stringify(postBodyObject)
});
if (res.status !== 200) {
@ -183,7 +186,11 @@ function printRunResult(runResult: RunResult) {
}
function validateEnv(): boolean {
return process.env.ADMIN_URL !== undefined && process.env.REPO_URL !== undefined;
return (
process.env.ADMIN_URL !== undefined &&
process.env.REPO_URL !== undefined &&
process.env.WEB_SANDBOX_SECRET !== undefined
);
}
if (!validateEnv()) {

View File

@ -1,4 +1,3 @@
DATABASE_URL=postgresql://bwcontest:password@127.0.0.1:5432/bwcontest
GIT_PORT=7006
WEB_PORT=3000
ORIGIN=http://127.0.0.1
ORIGIN=http://127.0.0.1:3000
WEB_SANDBOX_SECRET="supersecret"

View File

@ -14,12 +14,13 @@ services:
context: ../
dockerfile: ./web/Dockerfile
ports:
- ${WEB_PORT}:${WEB_PORT}
- ${GIT_PORT}:${GIT_PORT}
- 3000:3000
- 7006:7006
environment:
- DATABASE_URL=${DATABASE_URL}
- GIT_PORT=${GIT_PORT}
- ORIGIN=${ORIGIN}:${WEB_PORT}
- GIT_PORT=7006
- ORIGIN=${ORIGIN}
- WEB_SANDBOX_SECRET=${WEB_SANDBOX_SECRET}
volumes:
- ./repo:/app/repo
depends_on:

View File

@ -5,7 +5,11 @@ import { z } from 'zod';
import type { RequestHandler } from './$types';
import * as Diff from 'diff';
export const GET = (async () => {
export const GET = (async ({ request }) => {
const secret = request.headers.get('secret');
if (secret === null || secret !== process.env.WEB_SANDBOX_SECRET!) {
throw error(401, 'Unauthorized');
}
const submissions = await db.submission.findMany({
where: { state: SubmissionState.Queued },
orderBy: { createdAt: 'asc' },
@ -56,6 +60,10 @@ const submissionPostData = z
.strict();
export const POST = (async ({ request }) => {
const secret = request.headers.get('secret');
if (secret === null || secret !== process.env.WEB_SANDBOX_SECRET!) {
throw error(401, 'Unauthorized');
}
const requestJson = await request.json();
const data = submissionPostData.safeParse(requestJson);
if (!data.success) {