Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example code for restricting put on GUN
/* You'll need this on your client
Gun.on('opt', function (ctx) {
if (ctx.once) {
return
}
ctx.on('out', function (msg) {
var to = this.to
// Adds headers for put
msg.headers = {
token: 'thisIsTheTokenForReals'
}
to.next(msg) // pass to next middleware
})
})
*/
const port = process.env.OPENSHIFT_NODEJS_PORT || process.env.VCAP_APP_PORT || process.env.PORT || process.argv[2] || 8000
const Gun = require('gun')
function isValidPut (msg) {
return msg && msg && msg.headers && msg.headers.token && msg.headers.token === 'thisIsTheTokenForReals'
}
// Restrict put
Gun.on('opt', function (ctx) {
if (ctx.once) {
return
}
ctx.on('in', function (msg) {
var to = this.to
if (msg.put) {
if (isValidPut(msg)) {
to.next(msg)
}
} else {
to.next(msg)
}
})
})
const server = require('http').createServer(Gun.serve(__dirname));
Gun({
file: 'data.json',
web: server
})
server.listen(port)
console.log('Server started on port ' + port + ' with /gun')
@amark

This comment has been minimized.

Copy link

@amark amark commented Jan 20, 2020

@zrrrzzt this file has an old copy&pasted security vulnerability we need to delete/patch: amark/gun#880

To fix, I think you can replace the entire createServer with just this now: https://github.com/amark/gun/blob/master/examples/http.js#L16 (Note: it still CDN-ifys everything, but protects against traversing parent files via a curl mode)

@zrrrzzt

This comment has been minimized.

Copy link
Owner Author

@zrrrzzt zrrrzzt commented Jan 20, 2020

Just delete the link to this gist and I'll delete the gist itself. Haven't used Gun for years so should probably retire/archive most of the other repos as well.

@amark

This comment has been minimized.

Copy link

@amark amark commented Jan 20, 2020

@zrrrzzt thanks for the responsiveness 👍 this was my fault. You're other repos are actually pretty popular reference points in the community (at least like once a month), thanks for merging, if you can still keep them public that'd be great. Have a good one!

@zrrrzzt

This comment has been minimized.

Copy link
Owner Author

@zrrrzzt zrrrzzt commented Jan 20, 2020

okay

If it's helpful I'll leave them available :-) I will update this example as well.

And best of luck with your mission 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.