From 8434492b18743679b8e78cd3bbf1887125a96ff4 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Fri, 2 May 2025 18:43:27 -0300
Subject: [PATCH] add pleroma_restrict_unauthenticated_search.lua

---
 ...leroma_restrict_unauthenticated_search.lua | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 scripts/pleroma_restrict_unauthenticated_search.lua

diff --git a/scripts/pleroma_restrict_unauthenticated_search.lua b/scripts/pleroma_restrict_unauthenticated_search.lua
new file mode 100644
index 0000000..6b7904b
--- /dev/null
+++ b/scripts/pleroma_restrict_unauthenticated_search.lua
@@ -0,0 +1,35 @@
+local function webfingerInit(cfg)
+    return {} -- no ctx
+end
+
+local function webfingerCallback(cfg, _ctx)
+    local h, err = ngx.req.get_headers()
+
+    if err == "truncated" then
+        return 400, 'too many headers'
+    end
+
+    local authheader = h["authorization"]
+
+    if authheader == nil then
+        return 400, "requires authentication"
+    else
+        return nil
+    end
+end
+
+return {
+    name='PleromaRestrictUnauthenticatedSearch',
+    author='luna@l4.pm',
+    title='restrict unauth search',
+    description=[[
+    Search can be a DoS vector. restrict it without Authorization header.
+    Useful for small instances.
+    ]],
+    version=1,
+    init=searchInit,
+    callbacks = {
+        ['/api/v2/search'] = searchCallback
+    },
+    config={},
+}