Xóa scene con mà không xóa scene cha

2026-06-09 21:26:47 +07:00
parent d39d3b3d53
commit 67825b04cc
22 changed files with 1185 additions and 1486 deletions
@@ -15,13 +15,28 @@ const verifyReferer = (req, res, next) => {

    const referer = req.headers.referer;
    const origin = req.headers.origin;
-    const systemHost = process.env.SYSTEM_HOST || 'http://localhost:5000';

-    let allowedOrigin;
+    // Prepare allowed origins for Referer/Origin check
+    const primarySystemHost = process.env.SYSTEM_HOST || 'http://localhost:5000';
+    let configuredAllowedOrigins = [];
+
+    // Add primary SYSTEM_HOST
    try {
-        allowedOrigin = new URL(systemHost).origin;
+        configuredAllowedOrigins.push(new URL(primarySystemHost).origin);
    } catch (e) {
-        allowedOrigin = systemHost;
+        console.warn(`[Security Config Warning] Malformed SYSTEM_HOST: ${primarySystemHost}. Using as-is.`);
+        configuredAllowedOrigins.push(primarySystemHost);
+    }
+
+    // Add additional allowed origins from environment variable (comma-separated)
+    if (process.env.ADDITIONAL_ALLOWED_ORIGINS) {
+        process.env.ADDITIONAL_ALLOWED_ORIGINS.split(',').forEach(originStr => {
+            try {
+                configuredAllowedOrigins.push(new URL(originStr.trim()).origin);
+            } catch (e) {
+                console.warn(`[Security Config Warning] Malformed origin in ADDITIONAL_ALLOWED_ORIGINS: ${originStr.trim()}. Skipping.`);
+            }
+        });
    }

    const isMatch = (headerValue) => {
@@ -29,13 +44,17 @@ const verifyReferer = (req, res, next) => {
        try {
            const urlObj = new URL(headerValue);
            const incomingOrigin = urlObj.origin;
-            // Cho phép nếu khớp hoàn toàn origin
-            if (incomingOrigin === allowedOrigin) return true;
+            
+            // Cho phép nếu khớp với bất kỳ origin nào trong danh sách cấu hình
+            if (configuredAllowedOrigins.includes(incomingOrigin)) return true;
+
            // Trong môi trường development, cho phép localhost với bất kỳ port nào
            const isLocal = incomingOrigin.includes('localhost') || incomingOrigin.includes('127.0.0.1') || incomingOrigin.includes('::1');
            if (process.env.NODE_ENV !== 'production' && isLocal) return true;
+
            return false;
        } catch (e) {
+            console.warn(`[Security] Invalid URL in header value: ${headerValue}`);
            return false;
        }
    };
@@ -45,6 +64,9 @@ const verifyReferer = (req, res, next) => {

    // Block request if both referer and origin are missing or do not match SYSTEM_HOST
    if (!hasValidReferer && !hasValidOrigin) {
+        if (process.env.NODE_ENV !== 'production') {
+            console.warn(`[Security Blocked] Referer: ${referer || 'N/A'}, Origin: ${origin || 'N/A'}, Configured: ${configuredAllowedOrigins.join(', ')}`);
+        }
        return res.status(403).json({ 
            message: 'Access denied: Hotlinking detected or direct file access is prohibited.' 
        });