Make relays an internal URL and prevent :443 infinite redirects.

2024-06-15 05:36:37 +00:00 · 2019-07-23 11:51:06 -05:00 · 2019-07-23 11:51:06 -05:00 · 5a9ec823e4
commit 5a9ec823e4
parent add13724d1
2 changed files with 14 additions and 22 deletions
--- a/config/routes.php
+++ b/config/routes.php
@ -208,6 +208,13 @@ return function(App $app)

            })->add(Middleware\GetStation::class);

+            $this->get('/relays', Controller\Api\Admin\RelaysController::class)
+                ->setName('api:internal:relays')
+                ->add(Middleware\RequireLogin::class);
+
+            $this->post('/relays', Controller\Api\Admin\RelaysController::class.':updateAction')
+                ->add(Middleware\RequireLogin::class);
+
        });

        $this->get('/nowplaying[/{station}]', Controller\Api\NowplayingController::class)
@ -223,11 +230,9 @@ return function(App $app)
            $this->get('/permissions', Controller\Api\Admin\PermissionsController::class)
                ->add([Middleware\Permissions::class, Acl::GLOBAL_PERMISSIONS]);

-            $this->get('/relays', Controller\Api\Admin\RelaysController::class)
-                ->add(Middleware\RequireLogin::class);
-
-            $this->post('/relays', Controller\Api\Admin\RelaysController::class.':updateAction')
-                ->add(Middleware\RequireLogin::class);
+            $this->map(['GET', 'POST'], '/relays', function (\App\Http\Request $request, \App\Http\Response $response) {
+                return $response->withRedirect($request->getRouter()->fromHere('api:internal:relays'));
+            });

            $this->group('', function() {
                /** @var App $this */
--- a/src/Middleware/EnforceSecurity.php
+++ b/src/Middleware/EnforceSecurity.php
@ -44,27 +44,14 @@ class EnforceSecurity
        $csp = [];

        if ($request->isSecure()) {
-
-            $csp[] = 'upgrade-insecure-requests';
-
-        } elseif ($always_use_ssl && !$internal_api_url) {
-
            // Enforce secure cookies.
            ini_set('session.cookie_secure', 1);

-            // Redirect if URL is not currently secure.
-            if (!$request->isSecure()) {
-                $uri = $request->getUri();
-                if (!$uri->getPort()) {
-                    $uri = $uri->withPort(443);
-                }
-                return $response->withRedirect((string)$uri->withScheme('https'), 302);
-            }
-
-            // Set HSTS header.
-            $response = $response->withHeader('Strict-Transport-Security', 'max-age=3600');
-
            $csp[] = 'upgrade-insecure-requests';
+
+            $response = $response->withHeader('Strict-Transport-Security', 'max-age=3600');
+        } elseif ($always_use_ssl && !$internal_api_url) {
+            return $response->withRedirect((string)$request->getUri()->withScheme('https'), 302);
        }

        // Set frame-deny header before next middleware, so it can be overwritten.