security: fix critical webhook direct upgrade path, seed auth, CORS Vary header
Deploy Staging / build (push) Failing after 26m15s

- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard)
- Seed route: require ADMIN_SECRET via x-admin-secret header
- Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production
- CORS middleware: add Vary: Origin header for caching correctness
- MOCK_PAYMENTS: add NODE_ENV production guard
- Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
This commit is contained in:
2026-06-28 01:15:45 +08:00
parent 0c3521ba4c
commit de48918acf
10 changed files with 541 additions and 15 deletions
+11 -1
View File
@@ -66,7 +66,17 @@ export async function POST(request: NextRequest) {
export async function GET(request: NextRequest) {
// Admin-only endpoint — return paginated feedback
const authHeader = request.headers.get("authorization") || "";
const adminToken = process.env.FEEDBACK_ADMIN_TOKEN || "flh-feedback-admin";
const adminToken = process.env.FEEDBACK_ADMIN_TOKEN;
// Require token to be set in production
if (!adminToken) {
if (process.env.NODE_ENV === "production") {
console.error("FEEDBACK_ADMIN_TOKEN not configured");
return NextResponse.json({ error: "Server configuration error" }, { status: 500 });
}
// Dev fallback only
return NextResponse.json({ error: "Unauthorized — configure FEEDBACK_ADMIN_TOKEN" }, { status: 401 });
}
// Simple token auth
if (authHeader !== `Bearer ${adminToken}`) {