Skip to content

Commit

Permalink
feat(dcellar-web-ui): add domain validate for api
Browse files Browse the repository at this point in the history
  • Loading branch information
devinxl committed Mar 29, 2024
1 parent 3587213 commit 8263775
Show file tree
Hide file tree
Showing 7 changed files with 45 additions and 6 deletions.
10 changes: 9 additions & 1 deletion apps/dcellar-web-ui/src/base/env.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,12 @@ const {
NEXT_PUBLIC_APOLLO_GLOBAL_NOTIFICATION,
NEXT_PUBLIC_APOLLO_GLOBAL_NOTIFICATION_ETA,
} = publicRuntimeConfig || {};
const { NEXT_PRIVATE_BILLING_API_URL, NEXT_PRIVATE_EXPLORER_API_URL } = serverRuntimeConfig || {};

const {
NEXT_PRIVATE_BILLING_API_URL,
NEXT_PRIVATE_EXPLORER_API_URL,
NEXT_PRIVATE_ALLOWED_DOMAINS,
} = serverRuntimeConfig || {};

export type TRuntimeEnv = 'development' | 'qa' | 'testnet' | 'mainnet';

Expand All @@ -44,8 +49,11 @@ export const GREENFIELD_CHAIN_EXPLORER_URL = NEXT_PUBLIC_GREENFIELD_CHAIN_EXPLOR
export const BSC_EXPLORER_URL = NEXT_PUBLIC_BSC_EXPLORER_URL;
export const GREENFIELD_MAINNET_ID = NEXT_PUBLIC_GREENFIELD_CHAIN_MAINNET_ID;
export const GREENFIELD_MAINNET_RPC_URL = NEXT_PUBLIC_GREENFIELD_CHAIN_MAINNET_RPC_URL;

export const BILLING_API_URL = NEXT_PRIVATE_BILLING_API_URL;
export const EXPLORER_API_URL = NEXT_PRIVATE_EXPLORER_API_URL;
export const ALLOWED_DOMAINS = NEXT_PRIVATE_ALLOWED_DOMAINS;

export const mainnetSpMetaEndpoint = NEXT_PUBLIC_APOLLO_MAINNET_SP_RECOMMEND_META;

export const defaultApolloConfig = {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
import { BILLING_API_URL } from '@/base/env';
import { ALLOWED_DOMAINS, BILLING_API_URL } from '@/base/env';
import { validateReferer } from '@/utils/req';
import axios from 'axios';
import { NextApiRequest, NextApiResponse } from 'next';
import qs from 'query-string';

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (!validateReferer(req.headers.referer || '', ALLOWED_DOMAINS)) {
res.status(403).json({ message: 'Forbidden' });
}
const { slug, ...query } = req.query;
const slugs = slug as string[];
const url = `${BILLING_API_URL}/greenfield/bill_monthly/${slugs.join('/')}?${qs.stringify(query)}`;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
import { BILLING_API_URL } from '@/base/env';
import { ALLOWED_DOMAINS, BILLING_API_URL } from '@/base/env';
import { validateReferer } from '@/utils/req';
import axios from 'axios';
import { NextApiRequest, NextApiResponse } from 'next';
import qs from 'query-string';

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (!validateReferer(req.headers.referer || '', ALLOWED_DOMAINS)) {
res.status(403).json({ message: 'Forbidden' });
}
const { slug, ...query } = req.query;
const slugs = slug as string[];
const url = `${BILLING_API_URL}/greenfield/bill_realtime/${slugs.join('/')}?${qs.stringify(query)}`;
Expand Down
6 changes: 5 additions & 1 deletion apps/dcellar-web-ui/src/pages/api/chart/[[...slug]].ts
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
import axios from 'axios';
import qs from 'query-string';
import { NextApiRequest, NextApiResponse } from 'next';
import { EXPLORER_API_URL } from '@/base/env';
import { ALLOWED_DOMAINS, EXPLORER_API_URL } from '@/base/env';
import { validateReferer } from '@/utils/req';

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (!validateReferer(req.headers.referer || '', ALLOWED_DOMAINS)) {
res.status(403).json({ message: 'Forbidden' });
}
const { slug, ...query } = req.query;
const slugs = slug as string[];
const url = `${EXPLORER_API_URL}/greenfield/chart/${slugs.join('/')}?${qs.stringify(query)}`;
Expand Down
6 changes: 5 additions & 1 deletion apps/dcellar-web-ui/src/pages/api/policies/[[...slug]].ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
import { EXPLORER_API_URL } from '@/base/env';
import { ALLOWED_DOMAINS, EXPLORER_API_URL } from '@/base/env';
import { validateReferer } from '@/utils/req';
import axios from 'axios';
import { NextApiRequest, NextApiResponse } from 'next';

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (!validateReferer(req.headers.referer || '', ALLOWED_DOMAINS)) {
res.status(403).json({ message: 'Forbidden' });
}
const { slug } = req.query;
const slugs = slug as string[];
const url = `${EXPLORER_API_URL}/greenfield/permission/policy/list/by_resource/${slugs.join(
Expand Down
6 changes: 5 additions & 1 deletion apps/dcellar-web-ui/src/pages/api/total_cost/[[...slug]].ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
import { BILLING_API_URL } from '@/base/env';
import { ALLOWED_DOMAINS, BILLING_API_URL } from '@/base/env';
import { validateReferer } from '@/utils/req';
import axios from 'axios';
import { NextApiRequest, NextApiResponse } from 'next';

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (!validateReferer(req.headers.referer || '', ALLOWED_DOMAINS)) {
res.status(403).json({ message: 'Forbidden' });
}
const { slug } = req.query;
const slugs = slug as string[];
const url = `${BILLING_API_URL}/greenfield/total_cost/${slugs.join('/')}`;
Expand Down
11 changes: 11 additions & 0 deletions apps/dcellar-web-ui/src/utils/req.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
const localhostDomains = ['localhost', '127.0.0.1', '::1'];

export function validateReferer(referrer: string, allowedDomains: string) {
if (!referrer) {
return false;
}
const domain = new URL(referrer).hostname;
const domains = allowedDomains.split(',').concat(localhostDomains);

return domains.includes(domain);
}

0 comments on commit 8263775

Please sign in to comment.