From ee4cc79d91e5ede6c6ba0bae05e0f0b70c5f75c8 Mon Sep 17 00:00:00 2001
From: Wilfried OLLIVIER <wollivier@bearstech.com>
Date: Wed, 16 Feb 2022 14:32:02 +0100
Subject: [PATCH 1/3] It's a URL not a domain

---
 application/application.go | 4 ++--
 application/volume.go      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/application/application.go b/application/application.go
index 6f377f4..987b197 100644
--- a/application/application.go
+++ b/application/application.go
@@ -30,7 +30,7 @@ type Application struct {
 	Services      map[string]service.Service
 	serviceFolder string
 	Domain        string
-	GitlabDomain  string
+	GitlabURL     string
 	Router        http.Handler
 	storage       storage.Storage
 	volumes       *volumes.Volumes
@@ -103,7 +103,7 @@ func New(cfg *conf.Conf) (*Application, error) {
 		Services: svcs,
 		Domain:   cfg.OAuth.AppURL,
 		// FIXME: use dedicated variable
-		GitlabDomain:  cfg.OAuth.ProviderURL,
+		GitlabURL:     cfg.OAuth.ProviderURL,
 		serviceFolder: cfg.Services,
 		storage:       s,
 		Router:        MagicPathHandler(r),
diff --git a/application/volume.go b/application/volume.go
index 4cd29bd..db36012 100644
--- a/application/volume.go
+++ b/application/volume.go
@@ -65,7 +65,7 @@ func (a *Application) VolumesHandler(basePathLen int, latest bool) http.HandlerF
 		if _, err := os.Stat(fullPath); os.IsNotExist(err) {
 			l.Warn("Path not found", zap.Error(err))
 
-			data, err := NewResultFromTask(t, "No result for this task", a.GitlabDomain)
+			data, err := NewResultFromTask(t, "No result for this task", a.GitlabURL)
 			if err != nil {
 				l.Error("when creating result from a task", zap.Error(err))
 				w.WriteHeader(http.StatusInternalServerError)
@@ -128,7 +128,7 @@ func (a *Application) renderResultPageForTask(t *task.Task, filePath string, w h
 		return err
 	}
 
-	data, err := NewResultFromTask(t, template.HTML(content), a.GitlabDomain)
+	data, err := NewResultFromTask(t, template.HTML(content), a.GitlabURL)
 	// create the page
 	p := html.Page{
 		Domain: a.Domain,

From b2ff78b13291c78c05b2cdefb605ca001518bf18 Mon Sep 17 00:00:00 2001
From: Wilfried OLLIVIER <wollivier@bearstech.com>
Date: Wed, 16 Feb 2022 14:32:35 +0100
Subject: [PATCH 2/3] Add referer middleware

---
 application/referer.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 application/referer.go

diff --git a/application/referer.go b/application/referer.go
new file mode 100644
index 0000000..cbfe04e
--- /dev/null
+++ b/application/referer.go
@@ -0,0 +1,16 @@
+package application
+
+import "net/http"
+
+// RefererMiddleware ensure that requests comes from the gitlab domain
+func (a *Application) RefererMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		referer := r.Referer()
+		if referer != a.GitlabURL {
+			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}

From 28cf343a6bdec83e3b9437617cfad4d605d81a7a Mon Sep 17 00:00:00 2001
From: Wilfried OLLIVIER <wollivier@bearstech.com>
Date: Wed, 16 Feb 2022 14:32:43 +0100
Subject: [PATCH 3/3] Badge routes only use referer middleware

---
 application/application.go | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/application/application.go b/application/application.go
index 987b197..9d740c6 100644
--- a/application/application.go
+++ b/application/application.go
@@ -131,22 +131,33 @@ func New(cfg *conf.Conf) (*Application, error) {
 	r.Get("/services", a.ServicesHandler)
 	r.Get("/service/{serviceID}", a.ReadmeHandler)
 	r.Route("/service/{serviceID}/{project}", func(r chi.Router) {
-		r.Use(authMiddleware.Middleware())
 		r.Use(a.ServiceMiddleware)
 		r.Route("/", func(r chi.Router) {
 			r.Route("/{branch}", func(r chi.Router) {
 				r.Route("/{commit}", func(r chi.Router) {
-					r.Post("/", a.PostTaskHandler)
-					r.Get("/", a.TaskHandler(false))
-					r.Get("/status", badge.StatusBadge(a.storage, false))
-					r.Get("/badge/{badge}", a.BadgeMyTaskHandler(false))
-					r.Get("/volumes/*", a.VolumesHandler(6, false))
+					r.Group(func(r chi.Router) {
+						r.Use(authMiddleware.Middleware())
+						r.Post("/", a.PostTaskHandler)
+						r.Get("/", a.TaskHandler(false))
+						r.Get("/volumes/*", a.VolumesHandler(6, false))
+					})
+					r.Group(func(r chi.Router) {
+						r.Use(a.RefererMiddleware)
+						r.Get("/status", badge.StatusBadge(a.storage, false))
+						r.Get("/badge/{badge}", a.BadgeMyTaskHandler(false))
+					})
 				})
 				r.Route("/latest", func(r chi.Router) {
-					r.Get("/", a.TaskHandler(true))
-					r.Get("/status", badge.StatusBadge(a.storage, true))
-					r.Get("/badge/{badge}", a.BadgeMyTaskHandler(true))
-					r.Get("/volumes/*", a.VolumesHandler(6, true))
+					r.Group(func(r chi.Router) {
+						r.Use(authMiddleware.Middleware())
+						r.Get("/", a.TaskHandler(true))
+						r.Get("/volumes/*", a.VolumesHandler(6, true))
+					})
+					r.Group(func(r chi.Router) {
+						r.Use(a.RefererMiddleware)
+						r.Get("/status", badge.StatusBadge(a.storage, true))
+						r.Get("/badge/{badge}", a.BadgeMyTaskHandler(true))
+					})
 				})
 			})
 		})