add internal auth bypass to new endpoints

This commit is contained in:
Nick Caradonna
2025-05-28 14:29:25 -04:00
parent a7fad9469b
commit 4d3f990782

View File

@@ -788,7 +788,12 @@ const main = async (): Promise<void> => {
const origin = req.get('Origin') || req.get('Referer'); const origin = req.get('Origin') || req.get('Referer');
const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade']; const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade'];
if (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed))) { const hasAuth = (
(req.headers.Authorization || req.headers.authorization) ===
process.env.INTERNAL_SECRET
)
if (!hasAuth && (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed)))) {
res.status(403).json({ error: 'Forbidden: Invalid origin' }); res.status(403).json({ error: 'Forbidden: Invalid origin' });
return; return;
} }
@@ -843,9 +848,14 @@ const main = async (): Promise<void> => {
try { try {
// Check origin validation // Check origin validation
const origin = req.get('Origin') || req.get('Referer'); const origin = req.get('Origin') || req.get('Referer');
const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade']; const allowedOrigins = ['https://app.drift.trade', 'https://beta.drift.trade'];
if (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed))) { const hasAuth = (
(req.headers.Authorization || req.headers.authorization) ===
process.env.INTERNAL_SECRET
)
if (!hasAuth && (!origin || !allowedOrigins.some(allowed => origin.startsWith(allowed)))) {
res.status(403).json({ error: 'Forbidden: Invalid origin' }); res.status(403).json({ error: 'Forbidden: Invalid origin' });
return; return;
} }