Skip to content

Commit dae9efd

Browse files
committed
fix rejectWrongOrigin function
1 parent 765d002 commit dae9efd

2 files changed

Lines changed: 27 additions & 5 deletions

File tree

utils/reject-not-allowed-graphql-operations.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import { type FieldNode, type OperationDefinitionNode, parse, visit } from 'graphql';
22

3-
const ALLOWED_ROOT_FIELDS = new Set(['globalRankByLogin', 'user', 'insights', 'insight', 'organization']);
3+
const ALLOWED_ROOT_FIELDS = new Set(['globalRankByLogin', 'insight', 'insights', 'organization', 'user']);
44

55
export function rejectNotAllowedGraphqlOperations(query: string): boolean {
66
try {

utils/reject-wrong-origin.ts

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,41 @@
11
import type { NextRequest } from 'next/server';
22

3+
const normalizeHost = (value: string | null) => {
4+
if (!value) {
5+
return null;
6+
}
7+
8+
try {
9+
// Handle full origins like "https://gitranks.com/".
10+
const parsed = new URL(value);
11+
return parsed.host.toLowerCase();
12+
} catch {
13+
// Handle plain hosts like "gitranks.com" or "gitranks.com/".
14+
return value.replace(/^https?:\/\//, '').replace(/\/+$/, '').toLowerCase();
15+
}
16+
};
17+
318
export const rejectWrongOrigin = (req: NextRequest) => {
419
const origin = req.headers.get('origin') || req.headers.get('referer');
5-
const host = req.headers.get('host');
6-
const expectedHost = process.env.NEXT_PUBLIC_URI!;
20+
const host = normalizeHost(req.headers.get('host'));
21+
const expectedHost = normalizeHost(process.env.NEXT_PUBLIC_URI!);
722

823
// Block if:
924
// - No origin/referer (i.e., not from browser)
1025
// - AND host isn't your domain (i.e., not internal server-side call either)
11-
if (!origin && host !== expectedHost.replace(/^https?:\/\//, '')) {
26+
if (!origin && host !== expectedHost) {
1227
return true;
1328
}
1429

1530
// If origin exists, validate it matches expected domain
16-
if (origin && !origin.startsWith(expectedHost)) {
31+
if (origin) {
32+
const originHost = normalizeHost(origin);
33+
if (originHost !== expectedHost) {
34+
return true;
35+
}
36+
}
37+
38+
if (!expectedHost) {
1739
return true;
1840
}
1941
};

0 commit comments

Comments
 (0)