security: fix critical webhook direct upgrade path, seed auth, CORS Vary header
Deploy Staging / build (push) Failing after 26m15s

- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard)
- Seed route: require ADMIN_SECRET via x-admin-secret header
- Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production
- CORS middleware: add Vary: Origin header for caching correctness
- MOCK_PAYMENTS: add NODE_ENV production guard
- Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
This commit is contained in:
2026-06-28 01:15:45 +08:00
parent 0c3521ba4c
commit de48918acf
10 changed files with 541 additions and 15 deletions
+6 -6
View File
@@ -13,7 +13,7 @@ WORKDIR /app
RUN addgroup --system --gid 1001 nodejs && adduser --system --uid 1001 nextjs
# Copy standalone build (pre-built outside Docker)
COPY .next/standalone/falah-mobile ./
COPY .next/standalone/ ./
COPY .next/static ./.next/static
COPY public ./public
@@ -23,12 +23,12 @@ COPY node_modules/.prisma/client ./node_modules/.prisma/client
COPY node_modules/@prisma ./node_modules/@prisma
COPY prisma ./prisma
# Fix Turbopack's hashed Prisma client path
RUN if [ -d ".next/node_modules/@prisma" ]; then \
for d in .next/node_modules/@prisma/client-*; do \
# Fix Turbopack's hashed Prisma client path (if .next inside standalone)
RUN if [ -d "/app/.next/node_modules/@prisma" ]; then \
for d in /app/.next/node_modules/@prisma/client-*; do \
name=$(basename "$d"); \
rm -f "node_modules/@prisma/$name" 2>/dev/null; \
cp -r node_modules/@prisma/client "node_modules/@prisma/$name"; \
rm -f "/app/node_modules/@prisma/$name" 2>/dev/null; \
cp -r /app/node_modules/@prisma/client "/app/node_modules/@prisma/$name"; \
done; \
fi