feat(api): block useragents in /get-public-profile (#55487)

2026-01-06 06:01:31 -05:00 · 2024-07-12 13:03:00 +05:30
parent 33eed5bb31
commit ca60b5e81d
2 changed files with 20 additions and 1 deletions
--- a/api/src/routes/user.ts
+++ b/api/src/routes/user.ts
@@ -63,6 +63,8 @@ const nullableFlags = [
  'keyboardShortcuts'
 ] as const;

+const blockedUserAgentParts = ['python', 'google-apps-script', 'curl'];
+
 type NullableFlag = (typeof nullableFlags)[number];

 /**
@@ -654,6 +656,18 @@ export const userPublicGetRoutes: FastifyPluginCallbackTypebox = (
      schema: schemas.getPublicProfile
    },
    async (req, reply) => {
+      const userAgent = req.headers['user-agent'];
+
+      if (
+        userAgent &&
+        blockedUserAgentParts.some(ua => userAgent.toLowerCase().includes(ua))
+      ) {
+        void reply.code(400);
+        return reply.send(
+          'This endpoint is no longer available outside of the freeCodeCamp ecosystem'
+        );
+      }
+
      // TODO(Post-MVP): look for duplicates unless we can make username unique in the db.
      const user = await fastify.prisma.user.findFirst({
        where: { username: req.query.username }
--- a/api/src/schemas/api/users/get-public-profile.ts
+++ b/api/src/schemas/api/users/get-public-profile.ts
@@ -112,7 +112,12 @@ export const getPublicProfile = {
    // We can't simply have Type.Object({}), even though that's correct, because
    // TypeScript will then accept all responses (since every object can be
    // assigned to {})
-    400: Type.Object({ entities: Type.Optional(Type.Never()) }),
+    400: Type.Union([
+      Type.Object({ entities: Type.Optional(Type.Never()) }),
+      Type.Literal(
+        'This endpoint is no longer available outside of the freeCodeCamp ecosystem'
+      )
+    ]),
    404: Type.Object({ entities: Type.Optional(Type.Never()) })
  }
 };