From 7b66575ea828b5494900ef335ba2910897b837b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kasper=20Rynning-T=C3=B8nnesen?= <kasper@kasperrt.no>
Date: Wed, 28 Feb 2018 14:25:33 +0100
Subject: [PATCH] Locking down some paths not meant to be seen with url

---
 server/apps/admin.js  |  8 ++++++++
 server/apps/client.js | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/server/apps/admin.js b/server/apps/admin.js
index 89b7f3a6..4b5fd762 100644
--- a/server/apps/admin.js
+++ b/server/apps/admin.js
@@ -183,6 +183,14 @@ app.use('/logout', function(req, res) {
    res.redirect('/login');
 });
 
+app.use('/assets/admin/authenticated', function(req, res, next) {
+    if(!req.isAuthenticated()) {
+        res.sendStatus(403);
+        return;
+    }
+    return next();
+});
+
 app.use('/assets', express.static(publicPath + '/assets'));
 
 app.use('/', isLoggedIn, function(req, res) {
diff --git a/server/apps/client.js b/server/apps/client.js
index 6cb7aa30..f8357973 100755
--- a/server/apps/client.js
+++ b/server/apps/client.js
@@ -86,6 +86,16 @@ app.use('/', ico_router);
 app.use('/', api);
 app.use('/', router);
 
+app.use('/assets/js', function(req, res, next) {
+    res.sendStatus(403);
+    return;
+});
+
+app.use('/assets/admin', function(req, res, next) {
+    res.sendStatus(403);
+    return;
+});
+
 app.use('/assets', express.static(publicPath + '/assets'));
 
 app.use(function (req, res, next) {