Add checks for download links against forged requests

ajmandourah · Oct 19, 2024 · f8e405e · f8e405e
1 parent f2e172c
commit f8e405e
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/gamescollection/collection.go b/gamescollection/collection.go
@@ -29,9 +29,11 @@ type collect struct {
 
 // New create a new collection
 func New(config repository.Config) repository.Collection {
-	return &collect{
+	c := &collect{
 		config: config,
 	}
+	c.games.Headers = append(c.games.Headers, "Tinshop-ng: " + "*")
+	return c
 }
 
 // Load ensure that necessary data is loaded

diff --git a/repository/interfaces.go b/repository/interfaces.go
@@ -97,6 +97,7 @@ type GameType struct {
 	ThemeBlackList []string       `json:"themeBlackList,omitempty"`
 	// Removing the titledb for the resulted json.
 	Titledb map[string]TitleDBEntry `json:"-"`
+	Headers []string		`json:"headers"`
 }
 
 // GameFileType stores the fields needed for game files

diff --git a/security.go b/security.go
@@ -33,18 +33,36 @@ func (s *TinShop) TinfoilMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Verify all headers
 		headers := r.Header
-
+
+		//Skip security checks if Nosecurity is true
 		if s.Shop.Config.DebugNoSecurity() {
 			next.ServeHTTP(w, r)
 			return
 		}
+
+		// Checks for download links
+		if strings.Contains(r.RequestURI, "/games") {
+			//insuring basic headers available while downloading a game
+			if headers["Hauth"] == nil || headers["Uauth"] == nil || headers["Tinshop-Ng"] == nil {
+				log.Println("An attempt to download one of your content from non-Tinfoil Client was Blocked.", r.RemoteAddr)
+				return
+			}
+
+			//Hauth check
+			if s.Shop.Config.Get_Hauth() != "" && r.Header.Get("Hauth") != s.Shop.Config.Get_Hauth(){
+				log.Println("Hauth header mismatch. Possible attempt to access shop from a possible forged request. ", r.RemoteAddr)
+				return
+			}
+		}
 
 		//Show Hauth for the specefied host
 		//tinfoil sends requests appending "/" at the end
 		if r.RequestURI == "/hauth/" && r.Header.Get("Hauth") != "" {
 			log.Println("HAUTH for ", s.Shop.Config.Host(), " is: ", headers["Hauth"])
 			return
 		}
+
+		//Root path checks
 		if r.RequestURI == "/" || utils.IsValidFilter(cleanPath(r.RequestURI)) {
 
 			// Check for blacklist/whitelist