From f418c403d62307180bc1c3478fdd8a9e4dcc2e3e Mon Sep 17 00:00:00 2001 From: Kelly Date: Tue, 9 Dec 2025 12:06:14 -0700 Subject: [PATCH] feat(auth): Add *.cannabrands.app to trusted origins whitelist MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds pattern-based origin matching to support wildcard subdomains. All *.cannabrands.app origins now bypass API key authentication. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- backend/src/auth/middleware.ts | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/backend/src/auth/middleware.ts b/backend/src/auth/middleware.ts index 4df7ff64..15e82d53 100755 --- a/backend/src/auth/middleware.ts +++ b/backend/src/auth/middleware.ts @@ -29,6 +29,11 @@ const TRUSTED_ORIGINS = [ 'http://localhost:5173', ]; +// Pattern-based trusted origins (wildcards) +const TRUSTED_ORIGIN_PATTERNS = [ + /^https:\/\/.*\.cannabrands\.app$/, // *.cannabrands.app +]; + // Trusted IPs for internal pod-to-pod communication const TRUSTED_IPS = [ '127.0.0.1', @@ -42,8 +47,16 @@ const TRUSTED_IPS = [ function isTrustedRequest(req: Request): boolean { // Check origin header const origin = req.headers.origin; - if (origin && TRUSTED_ORIGINS.includes(origin)) { - return true; + if (origin) { + if (TRUSTED_ORIGINS.includes(origin)) { + return true; + } + // Check pattern-based origins (wildcards like *.cannabrands.app) + for (const pattern of TRUSTED_ORIGIN_PATTERNS) { + if (pattern.test(origin)) { + return true; + } + } } // Check referer header (for same-origin requests without CORS) @@ -54,6 +67,18 @@ function isTrustedRequest(req: Request): boolean { return true; } } + // Check pattern-based referers + try { + const refererUrl = new URL(referer); + const refererOrigin = refererUrl.origin; + for (const pattern of TRUSTED_ORIGIN_PATTERNS) { + if (pattern.test(refererOrigin)) { + return true; + } + } + } catch { + // Invalid referer URL, skip + } } // Check IP for internal requests (pod-to-pod, localhost)