feat: 启用nginx时支持校验签名

bangbang93 · Jan 30, 2024 · 70866b6 · 70866b6
1 parent 86afb00
commit 70866b6
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 1 deletion.
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -0,0 +1,14 @@
+version: '3'
+services:
+  openbmclapi:
+    build: .
+    env_file:
+      - .env
+    volumes:
+    - ./cache:/opt/openbmclapi/cache
+    network_mode: host
+    logging:
+      driver: 'json-file'
+      options:
+        max-size: '100m'
+        max-file: '10'
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -45,6 +45,7 @@ http {
         }
 
         location ~ /download/(.*) {
+            auth_request /auth;
             set $hash $1;
             sendfile       on;
             tcp_nopush     on;
@@ -62,5 +63,14 @@ http {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
         }
+
+        location = /auth {
+            internal;
+            proxy_pass http://unix:<%= root %>/cache/openbmclapi.sock;
+            proxy_pass_request_body off;
+            proxy_set_header Content-Length "";
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header x-openbmclapi-hash $hash;
+        }
     }
 }
diff --git a/src/cluster.ts b/src/cluster.ts
@@ -16,7 +16,7 @@ import morgan from 'morgan'
 import ms from 'ms'
 import {tmpdir} from 'os'
 import pMap from 'p-map'
-import {dirname, join, sep} from 'path'
+import {basename, dirname, join, sep} from 'path'
 import {cwd} from 'process'
 import ProgressBar from 'progress'
 import {connect, Socket} from 'socket.io-client'
@@ -155,6 +155,25 @@ export class Cluster {
   public setupExpress(https: boolean): Server {
     const app = http2Express(express)
     app.enable('trust proxy')
+
+    app.get('/auth', async (req: Request, res: Response, next: NextFunction) => {
+      try {
+        const oldUrl = req.get('x-original-uri')
+        if (!oldUrl) return res.status(403).send('invalid sign')
+
+        const url = new URL(oldUrl, 'http://localhost')
+        const hash = basename(url.pathname)
+        const query = Object.fromEntries(url.searchParams.entries())
+        const signValid = checkSign(hash, this.clusterSecret, query)
+        if (!signValid) {
+          return res.status(403).send('invalid sign')
+        }
+        res.sendStatus(204)
+      } catch (e) {
+        return next(e)
+      }
+    })
+
     if (!process.env.DISABLE_ACCESS_LOG) {
       app.use(morgan('combined'))
     }