Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example code for restricting put on GUN
/* You'll need this on your client
Gun.on('opt', function (ctx) {
if (ctx.once) {
return
}
ctx.on('out', function (msg) {
var to = this.to
// Adds headers for put
msg.headers = {
token: 'thisIsTheTokenForReals'
}
to.next(msg) // pass to next middleware
})
})
*/
const port = process.env.OPENSHIFT_NODEJS_PORT || process.env.VCAP_APP_PORT || process.env.PORT || process.argv[2] || 8000
const Gun = require('gun')
function isValidPut (msg) {
return msg && msg && msg.headers && msg.headers.token && msg.headers.token === 'thisIsTheTokenForReals'
}
// Restrict put
Gun.on('opt', function (ctx) {
if (ctx.once) {
return
}
ctx.on('in', function (msg) {
var to = this.to
if (msg.put) {
if (isValidPut(msg)) {
to.next(msg)
}
} else {
to.next(msg)
}
})
})
const server = require('http').createServer(Gun.serve(__dirname));
Gun({
file: 'data.json',
web: server
})
server.listen(port)
console.log('Server started on port ' + port + ' with /gun')
@amark

This comment has been minimized.

Copy link

amark commented Jan 20, 2020

@zrrrzzt this file has an old copy&pasted security vulnerability we need to delete/patch: amark/gun#880

To fix, I think you can replace the entire createServer with just this now: https://github.com/amark/gun/blob/master/examples/http.js#L16 (Note: it still CDN-ifys everything, but protects against traversing parent files via a curl mode)

@zrrrzzt

This comment has been minimized.

Copy link
Owner Author

zrrrzzt commented Jan 20, 2020

Just delete the link to this gist and I'll delete the gist itself. Haven't used Gun for years so should probably retire/archive most of the other repos as well.

@amark

This comment has been minimized.

Copy link

amark commented Jan 20, 2020

@zrrrzzt thanks for the responsiveness 👍 this was my fault. You're other repos are actually pretty popular reference points in the community (at least like once a month), thanks for merging, if you can still keep them public that'd be great. Have a good one!

@zrrrzzt

This comment has been minimized.

Copy link
Owner Author

zrrrzzt commented Jan 20, 2020

okay

If it's helpful I'll leave them available :-) I will update this example as well.

And best of luck with your mission 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.