Example code for restricting put on GUN

gun.restrict.put.server.js

/* You'll need this on your client
Gun.on('opt', function (ctx) {
  if (ctx.once) {
    return
  }
  ctx.on('out', function (msg) {
    var to = this.to
    // Adds headers for put
    msg.headers = {
      token: 'thisIsTheTokenForReals'
    }
    to.next(msg) // pass to next middleware
  })
})
*/

const port = process.env.OPENSHIFT_NODEJS_PORT || process.env.VCAP_APP_PORT || process.env.PORT || process.argv[2] || 8000
const Gun = require('gun')

function isValidPut (msg) {
  return msg && msg && msg.headers && msg.headers.token && msg.headers.token === 'thisIsTheTokenForReals'
}

// Restrict put
Gun.on('opt', function (ctx) {
  if (ctx.once) {
    return
  }
  ctx.on('in', function (msg) {
    var to = this.to
    if (msg.put) {
      if (isValidPut(msg)) {
        to.next(msg)
      }
    } else {
      to.next(msg)
    }
  })
})

const server = require('http').createServer(Gun.serve(__dirname));

Gun({
  file: 'data.json',
  web: server
})

server.listen(port)

console.log('Server started on port ' + port + ' with /gun')

@zrrrzzt this file has an old copy&pasted security vulnerability we need to delete/patch: amark/gun#880

To fix, I think you can replace the entire createServer with just this now: https://github.com/amark/gun/blob/master/examples/http.js#L16 (Note: it still CDN-ifys everything, but protects against traversing parent files via a curl mode)

Just delete the link to this gist and I'll delete the gist itself. Haven't used Gun for years so should probably retire/archive most of the other repos as well.

@zrrrzzt thanks for the responsiveness 👍 this was my fault. You're other repos are actually pretty popular reference points in the community (at least like once a month), thanks for merging, if you can still keep them public that'd be great. Have a good one!

okay

If it's helpful I'll leave them available :-) I will update this example as well.

And best of luck with your mission 👍