security: fix critical webhook direct upgrade path, seed auth, CORS Vary header
Deploy Staging / build (push) Failing after 26m15s

- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard)
- Seed route: require ADMIN_SECRET via x-admin-secret header
- Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production
- CORS middleware: add Vary: Origin header for caching correctness
- MOCK_PAYMENTS: add NODE_ENV production guard
- Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
This commit is contained in:
2026-06-28 01:15:45 +08:00
parent 0c3521ba4c
commit de48918acf
10 changed files with 541 additions and 15 deletions
+2
View File
@@ -20,8 +20,10 @@ export function middleware(request: NextRequest) {
response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
response.headers.set("Access-Control-Max-Age", "86400");
response.headers.set("Vary", "Origin");
} else if (origin && !isAllowed) {
response.headers.set("Access-Control-Allow-Origin", "https://falahos.my");
response.headers.set("Vary", "Origin");
}
if (request.method === "OPTIONS") {