- Rotate 5 exposed production secrets (JWT, ENCRYPTION, ADMIN, POSTGRES, REDIS) - Fix MOCK_PAYMENTS opt-in (now defaults to disabled) - HMAC-SHA256 webhook verification with timing-safe comparison - Purge dangling git blobs (git gc --prune=now) - Rate limiting on auth routes (10/15min per IP) - CORS middleware restricted to falahos.my - Fix walletBalance → flhBalance (Prisma schema mismatch)
This commit is contained in:
@@ -0,0 +1,39 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import type { NextRequest } from "next/server";
|
||||
|
||||
const ALLOWED_ORIGINS = [
|
||||
"https://falahos.my",
|
||||
"https://www.falahos.my",
|
||||
"http://localhost:3000",
|
||||
"http://localhost:4013",
|
||||
"http://localhost:4014",
|
||||
];
|
||||
|
||||
export function middleware(request: NextRequest) {
|
||||
const origin = request.headers.get("origin") || "";
|
||||
const isAllowed = !origin || ALLOWED_ORIGINS.includes(origin);
|
||||
|
||||
const response = NextResponse.next();
|
||||
|
||||
if (origin && isAllowed) {
|
||||
response.headers.set("Access-Control-Allow-Origin", origin);
|
||||
response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
|
||||
response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
|
||||
response.headers.set("Access-Control-Max-Age", "86400");
|
||||
} else if (origin && !isAllowed) {
|
||||
response.headers.set("Access-Control-Allow-Origin", "https://falahos.my");
|
||||
}
|
||||
|
||||
if (request.method === "OPTIONS") {
|
||||
return new NextResponse(null, {
|
||||
status: 204,
|
||||
headers: response.headers,
|
||||
});
|
||||
}
|
||||
|
||||
return response;
|
||||
}
|
||||
|
||||
export const config = {
|
||||
matcher: "/api/:path*",
|
||||
};
|
||||
Reference in New Issue
Block a user