diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 73e02ef..1f473f6 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -14,6 +14,7 @@ const allowCors = async (_: Request): Promise => { }; type Handler = (req: Request) => Promise; +type Middleware = (fn: Handler) => Handler; const withCors = (fn: Handler): Handler => { return async (req) => { @@ -57,14 +58,26 @@ const withLogger = (fn: Handler): Handler => { }; }; +const withFrontendReferrer: Middleware = (fn) => { + return async (req) => { + const referrer = req.headers.get("referrer"); + + if (referrer !== ENV.FRONTEND_URL) { + return new Response(undefined, { status: 403 }); + } + + return fn(req); + }; +}; + const server = Bun.serve({ port: ENV.PORT, routes: { "/health": new Response("alive!"), "/sign": { - GET: withLogger(withCors(getPetitions)), - POST: withLogger(withCors(signPetition)), - OPTIONS: withLogger(allowCors), + GET: withFrontendReferrer(withLogger(withCors(getPetitions))), + POST: withFrontendReferrer(withLogger(withCors(signPetition))), + OPTIONS: withFrontendReferrer(withLogger(allowCors)), }, }, }); diff --git a/packages/frontend/src/network/index.ts b/packages/frontend/src/network/index.ts index 9e7442b..ef9e732 100644 --- a/packages/frontend/src/network/index.ts +++ b/packages/frontend/src/network/index.ts @@ -12,7 +12,7 @@ const signedPetitionSignatures = z.array(signedPetitionWithParsedDate); export const getSignatures = async (): Promise< z.infer > => { - const res = await fetch(`${backendUrl}/sign`); + const res = await fetch(`${backendUrl}/sign`, { referrer: location.origin }); const body = await res.json(); const validatedBody = signedPetitionSignatures.parse(body);