✨ Restrict http methods on RPC handlers

2025-03-19 03:01:27 -05:00 · 2024-03-05 19:06:29 +01:00 · 2024-03-05 19:06:29 +01:00 · 07b8a2a6e6
commit 07b8a2a6e6
parent c3f37fb8a3
2 changed files with 28 additions and 16 deletions
--- a/backend/src/app/http/errors.clj
+++ b/backend/src/app/http/errors.clj
@ -60,8 +60,12 @@

 (defmethod handle-error :restriction
  [err _ _]
-  {::rres/status 400
-   ::rres/body (ex-data err)})
+  (let [{:keys [code] :as data} (ex-data err)]
+    (if (= code :method-not-allowed)
+      {::rres/status 405
+       ::rres/body data}
+      {::rres/status 400
+       ::rres/body data})))

 (defmethod handle-error :rate-limit
  [err _ _]
--- a/backend/src/app/rpc.clj
+++ b/backend/src/app/rpc.clj
@ -31,6 +31,7 @@
   [app.util.services :as sv]
   [app.util.time :as dt]
   [clojure.spec.alpha :as s]
+   [cuerdas.core :as str]
   [integrant.core :as ig]
   [promesa.core :as p]
   [ring.request :as rreq]
@ -71,24 +72,31 @@
 (defn- rpc-handler
  "Ring handler that dispatches cmd requests and convert between
  internal async flow into ring async flow."
-  [methods {:keys [params path-params] :as request}]
-  (let [type       (keyword (:type path-params))
-        etag       (rreq/get-header request "if-none-match")
-        profile-id (or (::session/profile-id request)
-                       (::actoken/profile-id request))
+  [methods {:keys [params path-params method] :as request}]
+  (let [handler-name (:type path-params)
+        etag         (rreq/get-header request "if-none-match")
+        profile-id   (or (::session/profile-id request)
+                         (::actoken/profile-id request))

-        data       (-> params
-                       (assoc ::request-at (dt/now))
-                       (assoc ::session/id (::session/id request))
-                       (assoc ::cond/key etag)
-                       (cond-> (uuid? profile-id)
-                         (assoc ::profile-id profile-id)))
+        data         (-> params
+                         (assoc ::request-at (dt/now))
+                         (assoc ::session/id (::session/id request))
+                         (assoc ::cond/key etag)
+                         (cond-> (uuid? profile-id)
+                           (assoc ::profile-id profile-id)))

-        data       (vary-meta data assoc ::http/request request)
-        method     (get methods type default-handler)]
+        data         (vary-meta data assoc ::http/request request)
+        handler-fn   (get methods (keyword handler-name) default-handler)]
+
+    (when (and (or (= method :get)
+                   (= method :head))
+               (not (str/starts-with? handler-name "get-")))
+      (ex/raise :type :restriction
+                :code :method-not-allowed
+                :hint "method not allowed for this request"))

    (binding [cond/*enabled* true]
-      (let [response (method data)]
+      (let [response (handler-fn data)]
        (handle-response request response)))))

 (defn- wrap-metrics