fix: block global API token from /user

SnailyCAD · Jun 14, 2024 · 7cc042a · 7cc042a
1 parent dd029c3
commit 7cc042a
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/apps/api/src/middlewares/auth/utils/utils.ts b/apps/api/src/middlewares/auth/utils/utils.ts
@@ -15,7 +15,10 @@ export function isRouteDisabled(options: Pick<Options, "req">) {
   const url = options.req.originalUrl.toLowerCase();
   const requestMethod = options.req.method as Method;
 
-  const route = DISABLED_API_TOKEN_ROUTES.find(([r]) => url.endsWith(r));
+  const route = DISABLED_API_TOKEN_ROUTES.find(([pathname]) => {
+    const urlPathname = new URL(url, "https://example.com").pathname.toLowerCase();
+    return urlPathname.endsWith(pathname.toLowerCase());
+  });
 
   if (route) {
     const [, methods] = route;