diff --git a/plugins/clnrest/clnrest.py b/plugins/clnrest/clnrest.py index 1e3c41761184..0f6394a97d41 100755 --- a/plugins/clnrest/clnrest.py +++ b/plugins/clnrest/clnrest.py @@ -3,6 +3,8 @@ try: import sys import os + import re + import ssl import time import multiprocessing from gunicorn import glogging # noqa: F401 @@ -30,9 +32,25 @@ multiprocessing.set_start_method('fork') + +def check_origin(origin): + from utilities.shared import REST_CORS_ORIGINS + is_whitelisted = False + if REST_CORS_ORIGINS[0] == "*": + is_whitelisted = True + else: + for whitelisted_origin in REST_CORS_ORIGINS: + try: + does_match = bool(re.compile(whitelisted_origin).match(origin)) + is_whitelisted = is_whitelisted or does_match + except Exception as err: + plugin.log(f"Error from rest-cors-origin {whitelisted_origin} match with {origin}: {err}", "info") + return is_whitelisted + + jobs = {} app = Flask(__name__) -socketio = SocketIO(app, async_mode="gevent", cors_allowed_origins="*") +socketio = SocketIO(app, async_mode="gevent", cors_allowed_origins=check_origin) msgq = Queue() @@ -82,7 +100,7 @@ def ws_connect(): def create_app(): from utilities.shared import REST_CORS_ORIGINS global app - app.config['SECRET_KEY'] = os.urandom(24).hex() + app.config["SECRET_KEY"] = os.urandom(24).hex() authorizations = { "rune": {"type": "apiKey", "in": "header", "name": "Rune"} } @@ -124,6 +142,7 @@ def set_application_options(plugin): "loglevel": "warning", "certfile": f"{CERTS_PATH}/client.pem", "keyfile": f"{CERTS_PATH}/client-key.pem", + "ssl_version": ssl.PROTOCOL_TLSv1_2 } return options diff --git a/plugins/clnrest/utilities/rpc_routes.py b/plugins/clnrest/utilities/rpc_routes.py index 60ff848514eb..d2d7d2d9a015 100644 --- a/plugins/clnrest/utilities/rpc_routes.py +++ b/plugins/clnrest/utilities/rpc_routes.py @@ -44,7 +44,7 @@ def post(self, rpc_method): raise Exception(is_valid_rune) except Exception as err: - return json5.loads(str(err)), 403 + return json5.loads(str(err)), 401 try: if request.is_json: