pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 12:11:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update image upload to securely handle cross-origin requests

Browse Source 
Refactor CORS configuration in the image upload Supabase function to implement environment-aware origin validation and allow-credentials for improved security.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 567218be-0199-4aaa-af7e-8307f67d4453
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
This commit is contained in:
pac7
2025-10-08 18:30:37 +00:00
parent 064bf86bce
commit ed7580fefc
1 changed files with 41 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
supabase/functions/upload-image/index.ts
View File

@@ -1,16 +1,51 @@
import { serve } from "https://deno.land/std@0.168.0/http/server.ts"
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'
// TODO: In production, restrict CORS to specific domains
// For now, allowing all origins for development flexibility
// Example production config: 'Access-Control-Allow-Origin': 'https://yourdomain.com'
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
// Environment-aware CORS configuration
const getAllowedOrigin = (requestOrigin: string | null): string => {
const environment = Deno.env.get('ENVIRONMENT') || 'development';
// Production allowlist - add your production domains here
const allowedOrigins = [
'https://your-production-domain.com',
'https://www.your-production-domain.com',
];
// In development, allow localhost and Replit domains
if (environment === 'development') {
if (requestOrigin) {
if (
requestOrigin.includes('localhost') ||
requestOrigin.includes('127.0.0.1') ||
requestOrigin.includes('.repl.co') ||
requestOrigin.includes('.replit.dev')
) {
return requestOrigin;
}
}
return '*';
}
// In production, only allow specific domains
if (requestOrigin && allowedOrigins.includes(requestOrigin)) {
return requestOrigin;
}
// Default to first allowed origin for production
return allowedOrigins[0];
};
const getCorsHeaders = (requestOrigin: string | null) => ({
'Access-Control-Allow-Origin': getAllowedOrigin(requestOrigin),
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
}
'Access-Control-Allow-Credentials': 'true',
});
serve(async (req) => {
const requestOrigin = req.headers.get('origin');
const corsHeaders = getCorsHeaders(requestOrigin);
// Handle CORS preflight requests
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders })