lashman/echoboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow same-origin requests without explicit origin header

Browse Source
This commit is contained in:
lashman
2026-03-21 22:08:59 +02:00
parent e83cfc18c2
commit 07c1cf9940
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
packages/api/src/server.ts
View File

@@ -86,9 +86,9 @@ export async function createServer() {
app.addHook("onRequest", async (req, reply) => { app.addHook("onRequest", async (req, reply) => {
if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) { if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) {
const origin = req.headers.origin; const origin = req.headers.origin;
// Server-to-server webhook calls don't send Origin headers // no Origin header = same-origin request or server-to-server call
if (!origin && req.url.startsWith('/api/v1/plugins/') && req.url.includes('/webhook')) return; if (!origin) return;
if (!origin || !allowedOrigins.has(origin)) { if (!allowedOrigins.has(origin)) {
return reply.status(403).send({ error: "Forbidden" }); return reply.status(403).send({ error: "Forbidden" });
} }
} }