refactor: enhance frontend API key validation by checking same-origin requests

2025-10-13 01:52:19 +03:00 · 2025-10-04 03:49:15 +03:00 · 2025-10-04 03:49:15 +03:00 · 06a1b84f03
commit 06a1b84f03
parent ae34658fba
1 changed files with 28 additions and 10 deletions
--- a/src/backend/middleware/auth.ts
+++ b/src/backend/middleware/auth.ts
@ -33,17 +33,35 @@ export const apiKeyAuth = (
    const origin = req.headers.origin || req.headers.referer;
    const allowedOrigins = config.frontendAllowedOrigins;

-    // Check if origin is present and matches allowed origins
+    // If no origin/referer header, check if it's a same-origin request by checking Host header
    if (!origin) {
-      logger.warn('Frontend API key used without origin/referer header', {
-        ip: req.ip,
-        path: req.path,
-        userAgent: req.headers['user-agent'],
-      });
-      res.status(403).json({
-        error: 'Forbidden',
-        message: 'Origin header required for frontend API key',
-      });
+      const host = req.headers.host;
+      const protocol = req.protocol || 'http';
+      const requestOrigin = `${protocol}://${host}`;
+
+      // Check if the request comes from an allowed origin based on Host header
+      const isSameOriginAllowed = allowedOrigins.some(allowed =>
+        requestOrigin.startsWith(allowed)
+      );
+
+      if (!isSameOriginAllowed) {
+        logger.warn('Frontend API key used without origin/referer header', {
+          ip: req.ip,
+          path: req.path,
+          host: host,
+          requestOrigin: requestOrigin,
+          userAgent: req.headers['user-agent'],
+        });
+        res.status(403).json({
+          error: 'Forbidden',
+          message: 'Origin header required for frontend API key',
+        });
+        return;
+      }
+
+      // Same-origin request allowed
+      req.apiKeyType = 'frontend';
+      next();
      return;
    }