fix(core): Do not explicitly bypass auth on urls containing .svg (#5525)

2025-03-05 20:50:17 -08:00 · 2023-02-21 11:52:22 +01:00 · 2023-02-21 11:52:22 +01:00 · f58573dba3
parent 684d717520
commit f58573dba3
1 changed files with 7 additions and 7 deletions
--- a/packages/cli/src/middlewares/auth.ts
+++ b/packages/cli/src/middlewares/auth.ts
@ -3,11 +3,12 @@ import jwt from 'jsonwebtoken';
 import cookieParser from 'cookie-parser';
 import passport from 'passport';
 import { Strategy } from 'passport-jwt';
+import { sync as globSync } from 'fast-glob';
 import { LoggerProxy as Logger } from 'n8n-workflow';
 import type { JwtPayload } from '@/Interfaces';
 import type { AuthenticatedRequest } from '@/requests';
 import config from '@/config';
-import { AUTH_COOKIE_NAME } from '@/constants';
+import { AUTH_COOKIE_NAME, EDITOR_UI_DIST_DIR } from '@/constants';
 import { issueCookie, resolveJwtContent } from '@/auth/jwt';
 import {
 	isAuthenticatedRequest,
@ -61,6 +62,10 @@ const refreshExpiringCookie: RequestHandler = async (req: AuthenticatedRequest,

 const passportMiddleware = passport.authenticate('jwt', { session: false }) as RequestHandler;

+const staticAssets = globSync(['**/*.html', '**/*.svg', '**/*.png', '**/*.ico'], {
+	cwd: EDITOR_UI_DIST_DIR,
+});
+
 /**
 * This sets up the auth middlewares in the correct order
 */
@ -79,12 +84,7 @@ export const setupAuthMiddlewares = (
 			// TODO: refactor me!!!
 			// skip authentication for preflight requests
 			req.method === 'OPTIONS' ||
-			req.url === '/index.html' ||
-			req.url === '/favicon.ico' ||
-			req.url.startsWith('/css/') ||
-			req.url.startsWith('/js/') ||
-			req.url.startsWith('/fonts/') ||
-			req.url.includes('.svg') ||
+			staticAssets.includes(req.url.slice(1)) ||
 			req.url.startsWith(`/${restEndpoint}/settings`) ||
 			req.url.startsWith(`/${restEndpoint}/login`) ||
 			req.url.startsWith(`/${restEndpoint}/logout`) ||