refactor: enhance frontend API key validation by checking same-origin requests

src/backend/middleware/auth.ts

@@ -33,11 +33,23 @@ export const apiKeyAuth = (
     const origin = req.headers.origin || req.headers.referer;
     const allowedOrigins = config.frontendAllowedOrigins;
 
-    // Check if origin is present and matches allowed origins
+    // If no origin/referer header, check if it's a same-origin request by checking Host header
     if (!origin) {
+      const host = req.headers.host;
+      const protocol = req.protocol || 'http';
+      const requestOrigin = `${protocol}://${host}`;
+
+      // Check if the request comes from an allowed origin based on Host header
+      const isSameOriginAllowed = allowedOrigins.some(allowed =>
+        requestOrigin.startsWith(allowed)
+      );
+
+      if (!isSameOriginAllowed) {
         logger.warn('Frontend API key used without origin/referer header', {
           ip: req.ip,
           path: req.path,
+          host: host,
+          requestOrigin: requestOrigin,
           userAgent: req.headers['user-agent'],
         });
         res.status(403).json({
@@ -47,6 +59,12 @@ export const apiKeyAuth = (
         return;
       }
 
+      // Same-origin request allowed
+      req.apiKeyType = 'frontend';
+      next();
+      return;
+    }
+
     const isOriginAllowed = allowedOrigins.some(allowed =>
       origin.startsWith(allowed)
     );