From 497569fee4a841b13ed1606ca54f269162d3fa62 Mon Sep 17 00:00:00 2001
From: Nicolas Dietrich
Date: Fri, 22 Jan 2021 16:47:47 +0100
Subject: Add config option which requires authentication in FreeURL mode

This mitigates unintended note creation by bots or humans through a
simple GET call.

See discussion in #754.

Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
---
 lib/web/note/util.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/web/note')

diff --git a/lib/web/note/util.js b/lib/web/note/util.js
index 75f0c815..57438515 100644
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) {
     return errors.errorForbidden(res)
   }
   if (noteId) {
-    if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) {
+    if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) {
       req.alias = noteId
     } else {
       return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)
-- 
cgit v1.2.3