feat: checking referrer request

This and CORS should at least filter out most potential errors. Plus
some cloudflare protections should be OK.

Could even add captcha

packages/backend/src/index.ts

@@ -14,6 +14,7 @@ const allowCors = async (_: Request): Promise<Response> => {
 };
 
 type Handler = (req: Request) => Promise<Response>;
+type Middleware = (fn: Handler) => Handler;
 
 const withCors = (fn: Handler): Handler => {
 	return async (req) => {
@@ -57,14 +58,26 @@ const withLogger = (fn: Handler): Handler => {
 	};
 };
 
+const withFrontendReferrer: Middleware = (fn) => {
+	return async (req) => {
+		const referrer = req.headers.get("referrer");
+
+		if (referrer !== ENV.FRONTEND_URL) {
+			return new Response(undefined, { status: 403 });
+		}
+
+		return fn(req);
+	};
+};
+
 const server = Bun.serve({
 	port: ENV.PORT,
 	routes: {
 		"/health": new Response("alive!"),
 		"/sign": {
-			GET: withLogger(withCors(getPetitions)),
+			GET: withFrontendReferrer(withLogger(withCors(getPetitions))),
-			POST: withLogger(withCors(signPetition)),
+			POST: withFrontendReferrer(withLogger(withCors(signPetition))),
-			OPTIONS: withLogger(allowCors),
+			OPTIONS: withFrontendReferrer(withLogger(allowCors)),
 		},
 	},
 });

packages/frontend/src/network/index.ts

@@ -12,7 +12,7 @@ const signedPetitionSignatures = z.array(signedPetitionWithParsedDate);
 export const getSignatures = async (): Promise<
 	z.infer<typeof signedPetitionSignatures>
 > => {
-	const res = await fetch(`${backendUrl}/sign`);
+	const res = await fetch(`${backendUrl}/sign`, { referrer: location.origin });
 
 	const body = await res.json();
 	const validatedBody = signedPetitionSignatures.parse(body);