maxp/lt-auth-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

feat(handler): sanitize sensitive fields in form data

Browse Source 
- Removes `username` and `apiKey` from form data to prevent errors
  from the LanguageTool server when these fields are present
- Updates test cases to reflect the new handling of form data bodies
This commit is contained in:
0xMax42
2025-05-11 10:59:49 +02:00
parent 4326a2d92c
commit b6763f7483
2 changed files with 37 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/__tests__/ltProxyHandler.test.ts
View File

@@ -16,12 +16,16 @@ Deno.test('ltProxyHandler: proxies request and returns response', async () => {
const originalFetch = globalThis.fetch; const originalFetch = globalThis.fetch;
globalThis.fetch = async () => expectedResponse; globalThis.fetch = async () => expectedResponse;
// Form body wie bei echtem Request
const formData = new URLSearchParams({ text: 'Hallo Welt' });
const bodyBytes = new TextEncoder().encode(formData.toString());
const req = new Request('http://localhost/v2/check?language=de-DE', { const req = new Request('http://localhost/v2/check?language=de-DE', {
method: 'POST', method: 'POST',
body: new TextEncoder().encode('text=Hallo+Welt'),
headers: { headers: {
'content-type': 'application/x-www-form-urlencoded', 'content-type': 'application/x-www-form-urlencoded',
}, },
body: bodyBytes,
}); });
const ctx: IContext = { const ctx: IContext = {
@@ -30,7 +34,9 @@ Deno.test('ltProxyHandler: proxies request and returns response', async () => {
query: { query: {
language: 'de-DE', language: 'de-DE',
}, },
state: {}, state: {
body: bodyBytes,
},
}; };
const response = await ltProxyHandler(ctx); const response = await ltProxyHandler(ctx);

33
src/ltProxyHandler.ts
View File

@@ -4,6 +4,7 @@ import { Env } from './env.ts';
/** /**
* Forwards the incoming request to the actual LanguageTool server. * Forwards the incoming request to the actual LanguageTool server.
* Dynamically passes through path and query string. * Dynamically passes through path and query string.
* Removes `username` and `apiKey` from the FormData body if present.
*/ */
export const handler: Handler = async (ctx) => { export const handler: Handler = async (ctx) => {
const originalUrl = new URL(ctx.req.url); const originalUrl = new URL(ctx.req.url);
@@ -12,16 +13,40 @@ export const handler: Handler = async (ctx) => {
`http://${Env.ltServerHost}:${Env.ltServerPort}`, `http://${Env.ltServerHost}:${Env.ltServerPort}`,
); );
const contentType = ctx.req.headers.get('content-type') ?? '';
let body: BodyInit | null = null;
if (
contentType.includes('application/x-www-form-urlencoded') &&
ctx.state.body
) {
const text = new TextDecoder().decode(ctx.state.body as Uint8Array);
const params = new URLSearchParams(text);
// Remove `apiKey` and `username` from the params
// LanguageTool will react with a error if they are present
params.delete('apiKey');
params.delete('username');
body = params.toString();
} else {
console.debug('Unsupported content type:', contentType);
body = ctx.state.body as BodyInit | null;
}
const headers = new Headers(ctx.req.headers);
headers.delete('content-length');
const forwarded = await fetch(proxyUrl.toString(), { const forwarded = await fetch(proxyUrl.toString(), {
method: ctx.req.method, method: ctx.req.method,
headers: ctx.req.headers, headers,
body: ctx.req.body, body,
}); });
const headers = new Headers(forwarded.headers); const respHeaders = new Headers(forwarded.headers);
return new Response(forwarded.body, { return new Response(forwarded.body, {
status: forwarded.status, status: forwarded.status,
headers, headers: respHeaders,
}); });
}; };