(config: ResolvedConfig, req: IncomingMessage)
| 3 | import crypto from 'node:crypto' |
| 4 | |
| 5 | export function isValidApiRequest(config: ResolvedConfig, req: IncomingMessage): boolean { |
| 6 | const url = new URL(req.url ?? '', 'http://localhost') |
| 7 | |
| 8 | // validate token. token is injected in ui/tester/orchestrator html, which is cross origin protected. |
| 9 | try { |
| 10 | const token = url.searchParams.get('token') |
| 11 | if (token && crypto.timingSafeEqual( |
| 12 | Buffer.from(token), |
| 13 | Buffer.from(config.api.token), |
| 14 | )) { |
| 15 | return true |
| 16 | } |
| 17 | } |
| 18 | // an error is thrown when the length is incorrect |
| 19 | catch {} |
| 20 | |
| 21 | return false |
| 22 | } |
no test coverage detected