bunker-admin
c192c04c79
Addresses data exposure, access control, input validation, infrastructure hardening, and supply chain security issues identified during audit. Key changes: - Strip internal fields from public campaign/profile/comment endpoints - Restrict docs routes to CONTENT_ROLES, provisioning to SUPER_ADMIN - Add SSE connection limits, social middleware fail-closed behavior - Bind all non-nginx ports to 127.0.0.1, pin container image versions - Add CSP header, conditional HSTS, token redaction in nginx logs - Validate nav URLs, calendar schemas, video tracking batch events - Reject default admin password placeholder, add SSRF protocol checks - Exclude .env from Code Server, enforce RC admin password in compose - Add Zod validation for achievement grant/revoke, webhook secret header - Fix path traversal prefix attack, add calendar token expiry Bunker Admin
18 lines
768 B
TypeScript
18 lines
768 B
TypeScript
import type { Request, Response, NextFunction } from 'express';
|
|
import { prisma } from '../../config/database';
|
|
|
|
/** Middleware that checks if the social feature is enabled in SiteSettings */
|
|
export async function checkSocialEnabled(req: Request, res: Response, next: NextFunction) {
|
|
try {
|
|
const settings = await prisma.siteSettings.findFirst({ select: { enableSocial: true } });
|
|
if (!settings?.enableSocial) {
|
|
res.status(404).json({ error: { message: 'Social features are not enabled', code: 'SOCIAL_DISABLED' } });
|
|
return;
|
|
}
|
|
next();
|
|
} catch {
|
|
// Fail closed — if we can't check the feature flag, deny access
|
|
res.status(503).json({ error: { message: 'Service temporarily unavailable', code: 'SERVICE_UNAVAILABLE' } });
|
|
}
|
|
}
|