From 0594c3811ca25043c7cabbfd1128f96d4d5a4c6a Mon Sep 17 00:00:00 2001 From: Nick Caradonna Date: Wed, 28 May 2025 14:29:25 -0400 Subject: [PATCH] add internal auth bypass to new endpoints --- src/index.ts | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/index.ts b/src/index.ts index 7a44f52..352e8b4 100644 --- a/src/index.ts +++ b/src/index.ts @@ -788,7 +788,12 @@ const main = async (): Promise => { const origin = req.get('Origin') || req.get('Referer'); const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade']; - if (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed))) { + const hasAuth = ( + (req.headers.Authorization || req.headers.authorization) === + process.env.INTERNAL_SECRET + ) + + if (!hasAuth && (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed)))) { res.status(403).json({ error: 'Forbidden: Invalid origin' }); return; } @@ -843,9 +848,14 @@ const main = async (): Promise => { try { // Check origin validation const origin = req.get('Origin') || req.get('Referer'); - const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade']; + const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade']; - if (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed))) { + const hasAuth = ( + (req.headers.Authorization || req.headers.authorization) === + process.env.INTERNAL_SECRET + ) + + if (!hasAuth && (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed)))) { res.status(403).json({ error: 'Forbidden: Invalid origin' }); return; }