From ec6537656925a43871b07cfee12c9f383844d224 Mon Sep 17 00:00:00 2001
From: mikiher <mikiher@gmail.com>
Date: Tue, 11 Feb 2025 22:02:51 +0200
Subject: [PATCH] Security fix for GHSA-pg8v-5jcv-wrvw

---
 server/Auth.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/server/Auth.js b/server/Auth.js
index 74b767f5..8ece90ae 100644
--- a/server/Auth.js
+++ b/server/Auth.js
@@ -10,6 +10,7 @@ const ExtractJwt = require('passport-jwt').ExtractJwt
 const OpenIDClient = require('openid-client')
 const Database = require('./Database')
 const Logger = require('./Logger')
+const { escapeRegExp } = require('./utils')
 
 /**
  * @class Class for handling all the authentication related functionality.
@@ -18,7 +19,11 @@ class Auth {
   constructor() {
     // Map of openId sessions indexed by oauth2 state-variable
     this.openIdAuthSession = new Map()
-    this.ignorePatterns = [/\/api\/items\/[^/]+\/cover/, /\/api\/authors\/[^/]+\/image/]
+    const escapedRouterBasePath = escapeRegExp(global.RouterBasePath)
+    this.ignorePatterns = [
+      new RegExp(`^(${escapedRouterBasePath}/api)?/items/[^/]+/cover$`), 
+      new RegExp(`^(${escapedRouterBasePath}/api)?/authors/[^/]+/image$`)
+    ]
   }
 
   /**
@@ -28,7 +33,7 @@ class Auth {
    * @private
    */
   authNotNeeded(req) {
-    return req.method === 'GET' && this.ignorePatterns.some((pattern) => pattern.test(req.originalUrl))
+    return req.method === 'GET' && this.ignorePatterns.some((pattern) => pattern.test(req.path))
   }
 
   ifAuthNeeded(middleware) {