mirror of
https://github.com/pacnpal/thrilltrack-explorer.git
synced 2025-12-20 08:11:13 -05:00
Improve error handling and stability across the application
Refactor error handling in `useEntityVersions` and `useSearch` hooks, enhance `NotificationService` with better error extraction and logging, and implement critical fallback mechanisms in the `detect-location` function's rate limit cleanup. Update CORS configuration in `upload-image` function for stricter origin checks and better security. Replit-Commit-Author: Agent Replit-Commit-Session-Id: f4df1950-6410-48d0-b2de-f4096732504b Replit-Commit-Checkpoint-Type: intermediate_checkpoint
This commit is contained in:
pac7
@@ -2,7 +2,12 @@ import { serve } from "https://deno.land/std@0.168.0/http/server.ts"
|
||||
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'
|
||||
|
||||
// Environment-aware CORS configuration
|
||||
const getAllowedOrigin = (requestOrigin: string | null): string => {
|
||||
const getAllowedOrigin = (requestOrigin: string | null): string | null => {
|
||||
// If no origin header, it's not a CORS request (same-origin or server-to-server)
|
||||
if (!requestOrigin) {
|
||||
return null;
|
||||
}
|
||||
|
||||
const environment = Deno.env.get('ENVIRONMENT') || 'development';
|
||||
|
||||
// Production allowlist - configure via ALLOWED_ORIGINS environment variable
|
||||
@@ -10,36 +15,44 @@ const getAllowedOrigin = (requestOrigin: string | null): string => {
|
||||
const allowedOriginsEnv = Deno.env.get('ALLOWED_ORIGINS') || '';
|
||||
const allowedOrigins = allowedOriginsEnv.split(',').filter(origin => origin.trim());
|
||||
|
||||
// In development, allow localhost and Replit domains
|
||||
// In development, only allow localhost and Replit domains - nothing else
|
||||
if (environment === 'development') {
|
||||
if (requestOrigin) {
|
||||
if (
|
||||
requestOrigin.includes('localhost') ||
|
||||
requestOrigin.includes('127.0.0.1') ||
|
||||
requestOrigin.includes('.repl.co') ||
|
||||
requestOrigin.includes('.replit.dev')
|
||||
) {
|
||||
return requestOrigin;
|
||||
}
|
||||
if (
|
||||
requestOrigin.includes('localhost') ||
|
||||
requestOrigin.includes('127.0.0.1') ||
|
||||
requestOrigin.includes('.repl.co') ||
|
||||
requestOrigin.includes('.replit.dev')
|
||||
) {
|
||||
return requestOrigin;
|
||||
}
|
||||
return '*';
|
||||
// Origin not allowed in development - log and deny
|
||||
console.warn(`[CORS] Origin not allowed in development mode: ${requestOrigin}`);
|
||||
return null;
|
||||
}
|
||||
|
||||
// In production, only allow specific domains from environment variable
|
||||
if (requestOrigin && allowedOrigins.includes(requestOrigin)) {
|
||||
if (allowedOrigins.includes(requestOrigin)) {
|
||||
return requestOrigin;
|
||||
}
|
||||
|
||||
// Default to first allowed origin for production, or deny if none configured
|
||||
return allowedOrigins.length > 0 ? allowedOrigins[0] : requestOrigin || '*';
|
||||
// Origin not allowed in production - log and deny
|
||||
console.warn(`[CORS] Origin not allowed in production mode: ${requestOrigin}`);
|
||||
return null;
|
||||
};
|
||||
|
||||
const getCorsHeaders = (requestOrigin: string | null) => ({
|
||||
'Access-Control-Allow-Origin': getAllowedOrigin(requestOrigin),
|
||||
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
|
||||
'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
|
||||
'Access-Control-Allow-Credentials': 'true',
|
||||
});
|
||||
const getCorsHeaders = (allowedOrigin: string | null): Record<string, string> => {
|
||||
// If no allowed origin, return empty headers (no CORS access)
|
||||
if (!allowedOrigin) {
|
||||
return {};
|
||||
}
|
||||
|
||||
return {
|
||||
'Access-Control-Allow-Origin': allowedOrigin,
|
||||
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
|
||||
'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
|
||||
'Access-Control-Allow-Credentials': 'true',
|
||||
};
|
||||
};
|
||||
|
||||
// Helper to create authenticated Supabase client
|
||||
const createAuthenticatedSupabaseClient = (authHeader: string) => {
|
||||
@@ -57,7 +70,24 @@ const createAuthenticatedSupabaseClient = (authHeader: string) => {
|
||||
|
||||
serve(async (req) => {
|
||||
const requestOrigin = req.headers.get('origin');
|
||||
const corsHeaders = getCorsHeaders(requestOrigin);
|
||||
const allowedOrigin = getAllowedOrigin(requestOrigin);
|
||||
|
||||
// Check if this is a CORS request with a disallowed origin
|
||||
if (requestOrigin && !allowedOrigin) {
|
||||
console.error(`[CORS] Request rejected for disallowed origin: ${requestOrigin}`);
|
||||
return new Response(
|
||||
JSON.stringify({
|
||||
error: 'Origin not allowed',
|
||||
message: 'The origin of this request is not allowed to access this resource'
|
||||
}),
|
||||
{
|
||||
status: 403,
|
||||
headers: { 'Content-Type': 'application/json' }
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
const corsHeaders = getCorsHeaders(allowedOrigin);
|
||||
|
||||
// Handle CORS preflight requests
|
||||
if (req.method === 'OPTIONS') {
|
||||
|
||||
Reference in New Issue
Block a user