From bb45dbd42cc54bcd14918286636897ae0c787b55 Mon Sep 17 00:00:00 2001
From: Kyle Upton <kyleaupton@gmail.com>
Date: Fri, 20 Sep 2024 16:33:33 -0400
Subject: [PATCH 1/2] whitelist for username based endpoints

---
 api/index.js            | 14 ++++++++++++++
 api/pin.js              | 14 ++++++++++++++
 api/top-langs.js        | 14 ++++++++++++++
 api/wakatime.js         | 14 ++++++++++++++
 src/common/utils.js     |  3 ++-
 src/common/whitelist.js |  6 ++++++
 6 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 src/common/whitelist.js

diff --git a/api/index.js b/api/index.js
index 2029367ca3eb9..b1f1518a2f4fa 100644
--- a/api/index.js
+++ b/api/index.js
@@ -1,5 +1,6 @@
 import { renderStatsCard } from "../src/cards/stats-card.js";
 import { blacklist } from "../src/common/blacklist.js";
+import { whitelist } from "../src/common/whitelist.js";
 import {
   clampValue,
   CONSTANTS,
@@ -53,6 +54,19 @@ export default async (req, res) => {
     );
   }
 
+  if (whitelist && !whitelist.includes(username)) {
+    return res.send(
+      renderError("This username is not whitelisted", "", {
+        title_color,
+        text_color,
+        bg_color,
+        border_color,
+        theme,
+        show_repo_link: false,
+      }),
+    );
+  }
+
   if (locale && !isLocaleAvailable(locale)) {
     return res.send(
       renderError("Something went wrong", "Language not found", {
diff --git a/api/pin.js b/api/pin.js
index 0bc029d7ffda3..bdeeb81c431f3 100644
--- a/api/pin.js
+++ b/api/pin.js
@@ -1,5 +1,6 @@
 import { renderRepoCard } from "../src/cards/repo-card.js";
 import { blacklist } from "../src/common/blacklist.js";
+import { whitelist } from "../src/common/whitelist.js";
 import {
   clampValue,
   CONSTANTS,
@@ -41,6 +42,19 @@ export default async (req, res) => {
     );
   }
 
+  if (whitelist && !whitelist.includes(username)) {
+    return res.send(
+      renderError("This username is not whitelisted", "", {
+        title_color,
+        text_color,
+        bg_color,
+        border_color,
+        theme,
+        show_repo_link: false,
+      }),
+    );
+  }
+
   if (locale && !isLocaleAvailable(locale)) {
     return res.send(
       renderError("Something went wrong", "Language not found", {
diff --git a/api/top-langs.js b/api/top-langs.js
index 382ee4205a87e..6435c3f9b610e 100644
--- a/api/top-langs.js
+++ b/api/top-langs.js
@@ -1,5 +1,6 @@
 import { renderTopLanguages } from "../src/cards/top-languages-card.js";
 import { blacklist } from "../src/common/blacklist.js";
+import { whitelist } from "../src/common/whitelist.js";
 import {
   clampValue,
   CONSTANTS,
@@ -48,6 +49,19 @@ export default async (req, res) => {
     );
   }
 
+  if (whitelist && !whitelist.includes(username)) {
+    return res.send(
+      renderError("This username is not whitelisted", "", {
+        title_color,
+        text_color,
+        bg_color,
+        border_color,
+        theme,
+        show_repo_link: false,
+      }),
+    );
+  }
+
   if (locale && !isLocaleAvailable(locale)) {
     return res.send(renderError("Something went wrong", "Locale not found"));
   }
diff --git a/api/wakatime.js b/api/wakatime.js
index de263e0644c43..fb553e92c8664 100644
--- a/api/wakatime.js
+++ b/api/wakatime.js
@@ -6,6 +6,7 @@ import {
   parseBoolean,
   renderError,
 } from "../src/common/utils.js";
+import { whitelist } from "../src/common/whitelist.js";
 import { fetchWakatimeStats } from "../src/fetchers/wakatime-fetcher.js";
 import { isLocaleAvailable } from "../src/translations.js";
 
@@ -36,6 +37,19 @@ export default async (req, res) => {
 
   res.setHeader("Content-Type", "image/svg+xml");
 
+  if (whitelist && !whitelist.includes(username)) {
+    return res.send(
+      renderError("This username is not whitelisted", "", {
+        title_color,
+        text_color,
+        bg_color,
+        border_color,
+        theme,
+        show_repo_link: false,
+      }),
+    );
+  }
+
   if (locale && !isLocaleAvailable(locale)) {
     return res.send(
       renderError("Something went wrong", "Language not found", {
diff --git a/src/common/utils.js b/src/common/utils.js
index 48ea051783b7f..15586d520b053 100644
--- a/src/common/utils.js
+++ b/src/common/utils.js
@@ -364,6 +364,7 @@ const renderError = (message, secondaryMessage = "", options = {}) => {
     bg_color,
     border_color,
     theme = "default",
+    show_repo_link = true,
   } = options;
 
   // returns theme based colors with proper overrides and defaults
@@ -388,7 +389,7 @@ const renderError = (message, secondaryMessage = "", options = {}) => {
       ERROR_CARD_LENGTH - 1
     }" height="99%" rx="4.5" fill="${bgColor}" stroke="${borderColor}"/>
     <text x="25" y="45" class="text">Something went wrong!${
-      UPSTREAM_API_ERRORS.includes(secondaryMessage)
+      UPSTREAM_API_ERRORS.includes(secondaryMessage) || !show_repo_link
         ? ""
         : " file an issue at https://tiny.one/readme-stats"
     }</text>
diff --git a/src/common/whitelist.js b/src/common/whitelist.js
new file mode 100644
index 0000000000000..cff58c18d1e9e
--- /dev/null
+++ b/src/common/whitelist.js
@@ -0,0 +1,6 @@
+const whitelist = process.env.WHITELIST
+  ? process.env.WHITELIST.split(",")
+  : undefined;
+
+export { whitelist };
+export default whitelist;

From ca72b73fbefd69a5a309961b41cf7ea88efba241 Mon Sep 17 00:00:00 2001
From: Kyle Upton <kyleaupton@gmail.com>
Date: Fri, 20 Sep 2024 16:39:25 -0400
Subject: [PATCH 2/2] added gist whitelist

---
 api/gist.js             | 14 ++++++++++++++
 src/common/whitelist.js |  6 +++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/api/gist.js b/api/gist.js
index 8821c7b094b9e..c7b9b2e2d54fb 100644
--- a/api/gist.js
+++ b/api/gist.js
@@ -4,6 +4,7 @@ import {
   renderError,
   parseBoolean,
 } from "../src/common/utils.js";
+import { gistWhitelist } from "../src/common/whitelist.js";
 import { isLocaleAvailable } from "../src/translations.js";
 import { renderGistCard } from "../src/cards/gist-card.js";
 import { fetchGist } from "../src/fetchers/gist-fetcher.js";
@@ -26,6 +27,19 @@ export default async (req, res) => {
 
   res.setHeader("Content-Type", "image/svg+xml");
 
+  if (gistWhitelist && !gistWhitelist.includes(id)) {
+    return res.send(
+      renderError("This gist id is not whitelisted", "", {
+        title_color,
+        text_color,
+        bg_color,
+        border_color,
+        theme,
+        show_repo_link: false,
+      }),
+    );
+  }
+
   if (locale && !isLocaleAvailable(locale)) {
     return res.send(
       renderError("Something went wrong", "Language not found", {
diff --git a/src/common/whitelist.js b/src/common/whitelist.js
index cff58c18d1e9e..b5df7c70cacc8 100644
--- a/src/common/whitelist.js
+++ b/src/common/whitelist.js
@@ -2,5 +2,9 @@ const whitelist = process.env.WHITELIST
   ? process.env.WHITELIST.split(",")
   : undefined;
 
-export { whitelist };
+const gistWhitelist = process.env.GIST_WHITELIST
+  ? process.env.GIST_WHITELIST.split(",")
+  : undefined;
+
+export { whitelist, gistWhitelist };
 export default whitelist;