aboutsummaryrefslogtreecommitdiff
path: root/src/routes
diff options
context:
space:
mode:
Diffstat (limited to 'src/routes')
-rw-r--r--src/routes/api/notifications/subscribe/+server.ts17
1 files changed, 13 insertions, 4 deletions
diff --git a/src/routes/api/notifications/subscribe/+server.ts b/src/routes/api/notifications/subscribe/+server.ts
index 51dbf340..b1913e5d 100644
--- a/src/routes/api/notifications/subscribe/+server.ts
+++ b/src/routes/api/notifications/subscribe/+server.ts
@@ -3,6 +3,7 @@ import { safeUserIdentity } from "$lib/Data/AniList/identity";
import { setUserSubscription } from "$lib/Database/SB/User/notifications";
import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
+import { isAllowedPushEndpoint } from "$lib/Utility/pushEndpoint";
const unauthorised = new Response("Unauthorised", { status: 401 });
@@ -20,12 +21,20 @@ export const POST = async ({ cookies, request, url }) => {
if (!userId) return unauthorised;
+ const subscription = await decodeRequestJsonOrThrow(
+ request,
+ Schema.Record(Schema.String, Schema.Unknown),
+ );
+
+ if (
+ typeof subscription.endpoint !== "string" ||
+ !isAllowedPushEndpoint(subscription.endpoint)
+ )
+ return new Response("Invalid push endpoint", { status: 400 });
+
await setUserSubscription(
userId,
- (await decodeRequestJsonOrThrow(
- request,
- Schema.Record(Schema.String, Schema.Unknown),
- )) as unknown as JSON,
+ subscription as unknown as JSON,
fingerprint,
);
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-02 12:57:52 +0000