Implement method whitelisting middleware to secure API endpoints

Update methodWhitelist.ts update methodWhitelist status code refactor methodWhitelist middleware logic
shardeum · Sep 4, 2024 · 1f0d033 · 1f0d033
1 parent adac9f9
commit 1f0d033
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/middlewares/methodWhitelist.ts b/src/middlewares/methodWhitelist.ts
@@ -0,0 +1,12 @@
+import { Request, Response, NextFunction } from 'express';
+import { methods } from '../api';
+
+const allowedMethods = Object.keys(methods);
+
+export const methodWhitelist = (req: Request, res: Response, next: NextFunction) => {
+  const method = req.body?.method;
+  if (method && allowedMethods.includes(method)) {
+    return next();
+  }
+  return res.status(403).json({ error: 'Forbidden' });
+};
diff --git a/src/server.ts b/src/server.ts
@@ -34,6 +34,7 @@ import { setupEvmLogProviderConnectionStream } from './websocket/log_server'
 import { setupArchiverDiscovery } from '@shardus/archiver-discovery'
 import { setDefaultResultOrder } from 'dns'
 import { nestedCountersInstance } from './utils/nestedCounters'
+import { methodWhitelist } from './middlewares/methodWhitelist'
 setDefaultResultOrder('ipv4first')
 
 // const path = require('path');
@@ -195,6 +196,8 @@ app.use('/log', authorize, logRoute)
 app.use('/authenticate', authenticate)
 app.use('/', healthCheckRouter)
 app.use(injectIP)
+// Method Whitelisting Middleware
+app.use(methodWhitelist)
 // reject subscription methods from http
 app.use(rejectSubscription)
 app.use(server.middleware())