tudor.stanciu/bitip
tudor.stanciu/bitip
1
0
Fork 0
mirror of https://dev.azure.com/tstanciu94/PhantomMind/_git/Bitip synced 2025-10-13 01:52:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

refactor: enhance frontend API key validation by checking same-origin requests

Browse Source
This commit is contained in:
Tudor Stanciu 2025-10-04 03:49:15 +03:00
parent ae34658fba
commit 06a1b84f03
1 changed files with 28 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/backend/middleware/auth.ts
View File

@ -33,17 +33,35 @@ export const apiKeyAuth = (
const origin = req.headers.origin || req.headers.referer; const origin = req.headers.origin || req.headers.referer;
const allowedOrigins = config.frontendAllowedOrigins; const allowedOrigins = config.frontendAllowedOrigins;
// Check if origin is present and matches allowed origins // If no origin/referer header, check if it's a same-origin request by checking Host header
if (!origin) { if (!origin) {
logger.warn('Frontend API key used without origin/referer header', { const host = req.headers.host;
ip: req.ip, const protocol = req.protocol || 'http';
path: req.path, const requestOrigin = `${protocol}://${host}`;
userAgent: req.headers['user-agent'],
}); // Check if the request comes from an allowed origin based on Host header
res.status(403).json({ const isSameOriginAllowed = allowedOrigins.some(allowed =>
error: 'Forbidden', requestOrigin.startsWith(allowed)
message: 'Origin header required for frontend API key', );
});
if (!isSameOriginAllowed) {
logger.warn('Frontend API key used without origin/referer header', {
ip: req.ip,
path: req.path,
host: host,
requestOrigin: requestOrigin,
userAgent: req.headers['user-agent'],
});
res.status(403).json({
error: 'Forbidden',
message: 'Origin header required for frontend API key',
});
return;
}
// Same-origin request allowed
req.apiKeyType = 'frontend';
next();
return; return;
} }