Creationshop/cannaiq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Creationshop:fix/wordpress-version-sync
Branches Tags
Creationshop:master Creationshop:develop Creationshop:production Creationshop:feat/minio-payload-storage Creationshop:feat/proxy-reload-and-bulk-import Creationshop:feat/task-schedules-consolidation Creationshop:feat/preflight-phase2-reporting Creationshop:fix/api-security-audit Creationshop:feat/persistent-workers-statefulset Creationshop:feat/query-api-and-trusted-origins Creationshop:feat/preflight-api-fields Creationshop:fix/ci-and-preflight-enforcement Creationshop:feat/ui-polish-and-ci-caching Creationshop:feat/cannaiq-ui-polish Creationshop:fix/worker-memory-backoff Creationshop:fix/ci-worker-resilience Creationshop:fix/ci-remove-migration-step Creationshop:fix/ci-migrate-via-kubectl Creationshop:fix/ci-event-syntax Creationshop:ci/support-manual-pipelines Creationshop:fix/ci-config-path Creationshop:fix/ci-filename Creationshop:feat/task-pool-toggle Creationshop:fix/worker-proxy-wait Creationshop:feat/task-workflow-refactor Creationshop:fix/analytics-v2-queries Creationshop:fix/auth-token-priority Creationshop:chore/wordpress-plugin-downloads Creationshop:fix/ci-build-args-format Creationshop:fix/wordpress-version-sync Creationshop:fix/trusted-origins-wildcards Creationshop:feat/brand-intelligence-api Creationshop:fix/ci-build-args Creationshop:feat/wordpress-widgets Creationshop:fix/findagram-brands-crash Creationshop:feat/ci-auto-merge Creationshop:feat/auto-migrations Creationshop:feat/stealth-worker-system Creationshop:fix/public-api-column-mappings Creationshop:fix/task-handler-typescript-errors Creationshop:feature/wp-plugin-versioning-and-fixes Creationshop:feature/seo-template-library-and-enhancements Creationshop:fix/static-paths-and-crawl-filters Creationshop:feature/cannaiq-menus-plugin-rename Creationshop:feature/workers-dashboard
..
compare: Creationshop:chore/wordpress-plugin-downloads
Branches Tags
Creationshop:master Creationshop:develop Creationshop:production Creationshop:feat/minio-payload-storage Creationshop:feat/proxy-reload-and-bulk-import Creationshop:feat/task-schedules-consolidation Creationshop:feat/preflight-phase2-reporting Creationshop:fix/api-security-audit Creationshop:feat/persistent-workers-statefulset Creationshop:feat/query-api-and-trusted-origins Creationshop:feat/preflight-api-fields Creationshop:fix/ci-and-preflight-enforcement Creationshop:feat/ui-polish-and-ci-caching Creationshop:feat/cannaiq-ui-polish Creationshop:fix/worker-memory-backoff Creationshop:fix/ci-worker-resilience Creationshop:fix/ci-remove-migration-step Creationshop:fix/ci-migrate-via-kubectl Creationshop:fix/ci-event-syntax Creationshop:ci/support-manual-pipelines Creationshop:fix/ci-config-path Creationshop:fix/ci-filename Creationshop:feat/task-pool-toggle Creationshop:fix/worker-proxy-wait Creationshop:feat/task-workflow-refactor Creationshop:fix/analytics-v2-queries Creationshop:fix/auth-token-priority Creationshop:chore/wordpress-plugin-downloads Creationshop:fix/ci-build-args-format Creationshop:fix/wordpress-version-sync Creationshop:fix/trusted-origins-wildcards Creationshop:feat/brand-intelligence-api Creationshop:fix/ci-build-args Creationshop:feat/wordpress-widgets Creationshop:fix/findagram-brands-crash Creationshop:feat/ci-auto-merge Creationshop:feat/auto-migrations Creationshop:feat/stealth-worker-system Creationshop:fix/public-api-column-mappings Creationshop:fix/task-handler-typescript-errors Creationshop:feature/wp-plugin-versioning-and-fixes Creationshop:feature/seo-template-library-and-enhancements Creationshop:fix/static-paths-and-crawl-filters Creationshop:feature/cannaiq-menus-plugin-rename Creationshop:feature/workers-dashboard

6 Commits
fix/wordpr ... chore/word

Author SHA1 Message Date
Kelly
166583621b chore: Add WordPress plugin v1.6.0 download files 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2025-12-10 17:23:25 -07:00
kelly
ca952c4674 Merge pull request 'fix(ci): Use YAML map format for docker-buildx build_args' (#21) from fix/ci-build-args-format into master 
Reviewed-on: https://code.cannabrands.app/Creationshop/dispensary-scraper/pulls/21
 2025-12-10 23:54:33 +00:00
kelly
4054778b6c Merge pull request 'feat: Add wildcard support for trusted domains' (#20) from fix/trusted-origins-wildcards into master 
Reviewed-on: https://code.cannabrands.app/Creationshop/dispensary-scraper/pulls/20
 2025-12-10 23:54:11 +00:00
Kelly
56a5f00015 fix(ci): Use YAML map format for docker-buildx build_args 
The woodpeckerci/plugin-docker-buildx plugin expects build_args as a
YAML map (key: value), not a list. This was causing build args to not
be passed to the Docker build, resulting in unknown git SHA and build
info in the deployed application.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2025-12-10 16:42:05 -07:00
Kelly
f25bebf6ee feat: Add wildcard support for trusted domains 
Add *.cannaiq.co and *.cannabrands.app to trusted domains list.
Updated isTrustedDomain() to recognize *.domain.com as wildcard
that matches the base domain and any subdomain.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2025-12-10 15:29:23 -07:00
Kelly
22dad6d0fc feat: Add wildcard trusted origins for cannaiq.co and cannabrands.app 
Add *.cannaiq.co and *.cannabrands.app patterns to both:
- auth/middleware.ts (admin routes)
- public-api.ts (consumer /api/v1/* routes)

This allows any subdomain of these domains to access the API without
requiring an API key.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2025-12-10 15:25:04 -07:00
6 changed files with 57 additions and 10 deletions
Expand all files Collapse all files

8
.woodpecker/.ci.yml
View File

@@ -90,10 +90,10 @@ steps:
platforms: linux/amd64
provenance: false
build_args:
- APP_BUILD_VERSION=${CI_COMMIT_SHA:0:8}
- APP_GIT_SHA=${CI_COMMIT_SHA}
- APP_BUILD_TIME=${CI_PIPELINE_CREATED}
- CONTAINER_IMAGE_TAG=${CI_COMMIT_SHA:0:8}
APP_BUILD_VERSION: ${CI_COMMIT_SHA:0:8}
APP_GIT_SHA: ${CI_COMMIT_SHA}
APP_BUILD_TIME: ${CI_PIPELINE_CREATED}
CONTAINER_IMAGE_TAG: ${CI_COMMIT_SHA:0:8}
depends_on: []
when:
branch: master

BIN
backend/public/downloads/cannaiq-menus-1.6.0.zip Normal file
View File

Binary file not shown.

1
backend/public/downloads/cannaiq-menus-latest.zip Symbolic link
View File

@@ -0,0 +1 @@
cannaiq-menus-1.6.0.zip

1
backend/src/auth/middleware.ts
View File

@@ -32,6 +32,7 @@ const TRUSTED_ORIGINS = [
// Pattern-based trusted origins (wildcards)
const TRUSTED_ORIGIN_PATTERNS = [
/^https:\/\/.*\.cannabrands\.app$/, // *.cannabrands.app
/^https:\/\/.*\.cannaiq\.co$/, // *.cannaiq.co
];
// Trusted IPs for internal pod-to-pod communication

26
backend/src/middleware/trustedDomains.ts
View File

@@ -5,8 +5,8 @@ import { Request, Response, NextFunction } from 'express';
* These are our own frontends that should have unrestricted access.
*/
const TRUSTED_DOMAINS = [
'cannaiq.co',
'www.cannaiq.co',
'*.cannaiq.co',
'*.cannabrands.app',
'findagram.co',
'www.findagram.co',
'findadispo.com',
@@ -32,6 +32,24 @@ function extractDomain(header: string): string | null {
}
}
/**
* Checks if a domain matches any trusted domain (supports *.domain.com wildcards)
*/
function isTrustedDomain(domain: string): boolean {
for (const trusted of TRUSTED_DOMAINS) {
if (trusted.startsWith('*.')) {
// Wildcard: *.example.com matches example.com and any subdomain
const baseDomain = trusted.slice(2);
if (domain === baseDomain || domain.endsWith('.' + baseDomain)) {
return true;
}
} else if (domain === trusted) {
return true;
}
}
return false;
}
/**
* Checks if the request comes from a trusted domain
*/
@@ -42,7 +60,7 @@ function isRequestFromTrustedDomain(req: Request): boolean {
// Check Origin header first (preferred for CORS requests)
if (origin) {
const domain = extractDomain(origin);
if (domain && TRUSTED_DOMAINS.includes(domain)) {
if (domain && isTrustedDomain(domain)) {
return true;
}
}
@@ -50,7 +68,7 @@ function isRequestFromTrustedDomain(req: Request): boolean {
// Fallback to Referer header
if (referer) {
const domain = extractDomain(referer);
if (domain && TRUSTED_DOMAINS.includes(domain)) {
if (domain && isTrustedDomain(domain)) {
return true;
}
}

31
backend/src/routes/public-api.ts
View File

@@ -130,6 +130,12 @@ const CONSUMER_TRUSTED_ORIGINS = [
'http://localhost:3002',
];
// Wildcard trusted origin patterns (*.domain.com)
const CONSUMER_TRUSTED_PATTERNS = [
/^https:\/\/([a-z0-9-]+\.)?cannaiq\.co$/,
/^https:\/\/([a-z0-9-]+\.)?cannabrands\.app$/,
];
// Trusted IPs for local development (bypass API key auth)
const TRUSTED_IPS = ['127.0.0.1', '::1', '::ffff:127.0.0.1'];
@@ -150,8 +156,17 @@ function isConsumerTrustedRequest(req: Request): boolean {
return true;
}
const origin = req.headers.origin;
if (origin && CONSUMER_TRUSTED_ORIGINS.includes(origin)) {
return true;
if (origin) {
// Check exact matches
if (CONSUMER_TRUSTED_ORIGINS.includes(origin)) {
return true;
}
// Check wildcard patterns
for (const pattern of CONSUMER_TRUSTED_PATTERNS) {
if (pattern.test(origin)) {
return true;
}
}
}
const referer = req.headers.referer;
if (referer) {
@@ -160,6 +175,18 @@ function isConsumerTrustedRequest(req: Request): boolean {
return true;
}
}
// Check wildcard patterns against referer origin
try {
const refererUrl = new URL(referer);
const refererOrigin = refererUrl.origin;
for (const pattern of CONSUMER_TRUSTED_PATTERNS) {
if (pattern.test(refererOrigin)) {
return true;
}
}
} catch {
// Invalid referer URL, ignore
}
}
return false;
}