From e0f2a79d70073e693765f9be6a395669406b85a3 Mon Sep 17 00:00:00 2001 From: regalijan Date: Thu, 19 Oct 2023 16:50:17 -0400 Subject: [PATCH] Set origin based on browser origin header --- functions/api/reports/submit.ts | 4 ++++ functions/gcloud.ts | 6 ++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/functions/api/reports/submit.ts b/functions/api/reports/submit.ts index 7e901a5..eefb907 100644 --- a/functions/api/reports/submit.ts +++ b/functions/api/reports/submit.ts @@ -37,6 +37,9 @@ export async function onRequestPost(context: RequestContext) { if (!success) return errorResponse("Captcha test failed", 403); } + const origin = context.request.headers.get("Origin"); + if (!origin) return errorResponse("No origin header", 400); + if (bypass && !(context.data.current_user?.permissions & (1 << 5))) return errorResponse("Bypass directive cannot be used", 403); @@ -178,6 +181,7 @@ export async function onRequestPost(context: RequestContext) { `t/${fileUploadKey}`, file.size, fileExten, + origin, ), ); } diff --git a/functions/gcloud.ts b/functions/gcloud.ts index b10284c..96e3110 100644 --- a/functions/gcloud.ts +++ b/functions/gcloud.ts @@ -17,6 +17,7 @@ export async function GenerateUploadURL( path: string, size: number, fileExt: string, + origin: string, ): Promise { const accessToken = await GetAccessToken(env); const contentTypes: { [k: string]: string } = { @@ -43,10 +44,7 @@ export async function GenerateUploadURL( { headers: { authorization: `Bearer ${accessToken}`, - origin: - typeof env.LOCAL === "undefined" - ? "https://carcrushers.cc" - : "http://localhost:8788", + origin, "x-upload-content-type": contentTypes[fileExt], "x-upload-content-length": size.toString(), },