From f58573dba30eba8fe3d844d1b7b2dbbb8d51b8b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?=
 =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?=
 =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?=
 <netroy@users.noreply.github.com>
Date: Tue, 21 Feb 2023 11:52:22 +0100
Subject: [PATCH] fix(core): Do not explicitly bypass auth on urls containing
 `.svg` (#5525)

---
 packages/cli/src/middlewares/auth.ts | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/packages/cli/src/middlewares/auth.ts b/packages/cli/src/middlewares/auth.ts
index a0c13d4f21..070b86dd09 100644
--- a/packages/cli/src/middlewares/auth.ts
+++ b/packages/cli/src/middlewares/auth.ts
@@ -3,11 +3,12 @@ import jwt from 'jsonwebtoken';
 import cookieParser from 'cookie-parser';
 import passport from 'passport';
 import { Strategy } from 'passport-jwt';
+import { sync as globSync } from 'fast-glob';
 import { LoggerProxy as Logger } from 'n8n-workflow';
 import type { JwtPayload } from '@/Interfaces';
 import type { AuthenticatedRequest } from '@/requests';
 import config from '@/config';
-import { AUTH_COOKIE_NAME } from '@/constants';
+import { AUTH_COOKIE_NAME, EDITOR_UI_DIST_DIR } from '@/constants';
 import { issueCookie, resolveJwtContent } from '@/auth/jwt';
 import {
 	isAuthenticatedRequest,
@@ -61,6 +62,10 @@ const refreshExpiringCookie: RequestHandler = async (req: AuthenticatedRequest,
 
 const passportMiddleware = passport.authenticate('jwt', { session: false }) as RequestHandler;
 
+const staticAssets = globSync(['**/*.html', '**/*.svg', '**/*.png', '**/*.ico'], {
+	cwd: EDITOR_UI_DIST_DIR,
+});
+
 /**
  * This sets up the auth middlewares in the correct order
  */
@@ -79,12 +84,7 @@ export const setupAuthMiddlewares = (
 			// TODO: refactor me!!!
 			// skip authentication for preflight requests
 			req.method === 'OPTIONS' ||
-			req.url === '/index.html' ||
-			req.url === '/favicon.ico' ||
-			req.url.startsWith('/css/') ||
-			req.url.startsWith('/js/') ||
-			req.url.startsWith('/fonts/') ||
-			req.url.includes('.svg') ||
+			staticAssets.includes(req.url.slice(1)) ||
 			req.url.startsWith(`/${restEndpoint}/settings`) ||
 			req.url.startsWith(`/${restEndpoint}/login`) ||
 			req.url.startsWith(`/${restEndpoint}/logout`) ||