From 5b28a25adfce1dc34a6bb88f6870ae62a2beab86 Mon Sep 17 00:00:00 2001 From: Nicolas Dupont Date: Thu, 20 Nov 2025 17:06:03 +0100 Subject: [PATCH 1/2] Block external direct access to collection API --- src/collection-api/server.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/collection-api/server.js b/src/collection-api/server.js index 94b2a4352..c1b0a7eb0 100644 --- a/src/collection-api/server.js +++ b/src/collection-api/server.js @@ -19,7 +19,7 @@ app.use(errorsMiddleware); const port = config.get('@opentermsarchive/engine.collection-api.port'); -app.listen(port); +app.listen(port, '127.0.0.1'); if (process.env.NODE_ENV !== 'test') { logger.info(`Start Open Terms Archive API on http://localhost:${port}${BASE_PATH}`); From 7e8374072c7e18cfcc46db59e607351c9530cbc2 Mon Sep 17 00:00:00 2001 From: Nicolas Dupont Date: Thu, 20 Nov 2025 17:06:10 +0100 Subject: [PATCH 2/2] Add changelog entry --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9920cd332..c59235540 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ All changes that impact users of this module are documented in this file, in the [Common Changelog](https://common-changelog.org) format with some additional specifications defined in the CONTRIBUTING file. This codebase adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased [patch] + +> Development of this release was supported by the [French Ministry for Foreign Affairs](https://www.diplomatie.gouv.fr/fr/politique-etrangere-de-la-france/diplomatie-numerique/) through its ministerial [State Startups incubator](https://beta.gouv.fr/startups/open-terms-archive.html) under the aegis of the Ambassador for Digital Affairs. + +### Fixed + +- Prevent external hosts from accessing the collection API directly + ## 10.0.0 - 2025-11-20 _Full changeset and discussions: [#1207](https://github.com/OpenTermsArchive/engine/pull/1207)._