feat: white url list for openai security

2025-08-08 11:50:33 +08:00 · 2023-06-13 00:39:29 +08:00
parent bdb03e07fc
commit 0d4611052e
3 changed files with 29 additions and 8 deletions
--- a/app/api/openai/[...path]/route.ts
+++ b/app/api/openai/[...path]/route.ts
@@ -1,14 +1,32 @@
+import { OpenaiPath } from "@/app/constant";
 import { prettyObject } from "@/app/utils/format";
 import { NextRequest, NextResponse } from "next/server";
 import { auth } from "../../auth";
 import { requestOpenai } from "../../common";

+const ALLOWD_PATH = new Set(Object.values(OpenaiPath));
+
 async function handle(
  req: NextRequest,
  { params }: { params: { path: string[] } },
 ) {
  console.log("[OpenAI Route] params ", params);

+  const subpath = params.path.join("/");
+
+  if (!ALLOWD_PATH.has(subpath)) {
+    console.log("[OpenAI Route] forbidden path ", subpath);
+    return NextResponse.json(
+      {
+        error: true,
+        msg: "you are not allowed to request " + subpath,
+      },
+      {
+        status: 403,
+      },
+    );
+  }
+
  const authResult = auth(req);
  if (authResult.error) {
    return NextResponse.json(authResult, {