fix: handle header array edge case and add URL scheme validation for SSRF mitigation

Author: JYC333

apps/server/src/services/auth.ts

@@ -168,10 +168,11 @@ function checkCredentials(req: Request, res: Response, next: NextFunction) {
 
     // Verify TOTP if enabled
     if (totp.isTotpEnabled()) {
-        const totpToken = req.headers["trilium-totp"] || "";
+        const totpHeader = req.headers["trilium-totp"];
+        const totpToken = Array.isArray(totpHeader) ? totpHeader[0] : totpHeader;
         if (typeof totpToken !== "string" || !totpToken) {
             res.setHeader("Content-Type", "text/plain").status(401).send("TOTP token is required");
-            log.info(`WARNING: Missing TOTP token from ${req.ip}, rejecting.`);
+            log.info(`WARNING: Missing or invalid TOTP token from ${req.ip}, rejecting.`);
             return;
         }
 

apps/server/src/services/setup.ts

@@ -112,6 +112,11 @@ function getSyncSeedOptions() {
 }
 
 async function checkRemoteTotpStatus(syncServerHost: string): Promise<{ totpEnabled: boolean }> {
+    // Validate URL scheme to mitigate SSRF
+    if (!syncServerHost.startsWith("http://") && !syncServerHost.startsWith("https://")) {
+        return { totpEnabled: false };
+    }
+
     try {
         const resp = await request.exec<{ totpEnabled?: boolean }>({
             method: "get",