rename to coll_internal_access_dep

ikreymer · ikreymer · commit bcad9b0b7da0 · 2026-03-12T14:13:30.000-07:00
catch jwt exceptions
block /internal/ access in frontend
diff --git a/backend/btrixcloud/auth.py b/backend/btrixcloud/auth.py
@@ -134,8 +134,11 @@ def create_custom_jwt_token(sub: str, data: dict[str, str]) -> str:
 def get_custom_jwt_token(request: Request) -> dict[str, str]:
     """return data from custom jwt token"""
     token = request.query_params.get("auth_bearer") or ""
-    payload = decode_jwt(token, [CUSTOM_AUTH_AUD])
-    return payload
+    try:
+        return decode_jwt(token, [CUSTOM_AUTH_AUD])
+    # pylint: disable=bare-except
+    except:
+        return {}
 
 
 # ============================================================================
diff --git a/backend/btrixcloud/colls.py b/backend/btrixcloud/colls.py
@@ -1289,7 +1289,7 @@ def init_collections_api(
     org_viewer_dep = orgs.org_viewer_dep
     org_public = orgs.org_public
 
-    async def coll_access_dep(
+    async def coll_internal_access_dep(
         coll_id: UUID, token_data: dict[str, str] = Depends(get_custom_jwt_token)
     ) -> UUID:
         # first, check subject match collection id and type is collection
@@ -1396,7 +1396,9 @@ async def get_collection_replay(
         tags=["collections"],
         response_model=ResourcesOnly,
     )
-    async def get_internal_replay(oid: UUID, coll_id: UUID = Depends(coll_access_dep)):
+    async def get_internal_replay(
+        oid: UUID, coll_id: UUID = Depends(coll_internal_access_dep)
+    ):
         return await colls.get_internal_replay_list(coll_id, oid)
 
     @app.get(
diff --git a/frontend/frontend.conf.template b/frontend/frontend.conf.template
@@ -70,7 +70,7 @@ server {
     # serve a 404 page for /replay/ path, as that should be taken over by RWP
     location /replay/ {
       default_type application/json;
-      return 404 "{\"error\": \"placeholder_for_replay\"}";
+      return 404 "{\"detail\":\"placeholder_for_replay\"}";
     }
 
     # used by docker only: k8s deployment handles /api directly via ingress
@@ -90,6 +90,10 @@ server {
       proxy_read_timeout 300;
     }
 
+    location ~* /internal/ {
+      return 403 "{\"detail\":\"access_denied\"}";
+    }
+
     location ~* /watch/([^/]+)/([^/]+)/([^/]+)/ws {
       set $org $1;
       set $crawl $2;
