fix: check origin in the event endpoint INTER-570 (#127)

* fix: check origin in the event endpoint * fix: try pretteirin eslintrc
fingerprintjs · Mar 7, 2024 · a45a59c · a45a59c
1 parent 2129de5
commit a45a59c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -4,7 +4,7 @@ module.exports = {
     'next/core-web-vitals',
     '@fingerprintjs/eslint-config-dx-team',
     // necessary to pickup project-specific overrides in prettierrc.js
-    'plugin:prettier/recommended',
+    'prettier',
   ],
   plugins: ['react-hooks', 'jsx-a11y'],
   rules: {

diff --git a/src/client/components/playground/usePlaygroundSignals.ts b/src/client/components/playground/usePlaygroundSignals.ts
@@ -23,7 +23,7 @@ export function usePlaygroundSignals() {
   } = useQuery<EventResponse | undefined>(
     [requestId],
     () =>
-      fetch(`/api/event/${agentResponse?.requestId}`).then((res) => {
+      fetch(`/api/event/${agentResponse?.requestId}`, { method: 'POST' }).then((res) => {
         if (res.status !== 200) {
           throw new Error(`${res.statusText}`);
         }

diff --git a/src/pages/api/event/[requestId].ts b/src/pages/api/event/[requestId].ts
@@ -1,8 +1,21 @@
 import { isEventError } from '@fingerprintjs/fingerprintjs-pro-server-api';
 import { NextApiRequest, NextApiResponse } from 'next';
 import { fingerprintJsApiClient } from '../../../server/fingerprint-api';
+import { ourOrigins } from '../../../server/server';
 
 export default async function getFingerprintEvent(req: NextApiRequest, res: NextApiResponse) {
+  /**
+   * In production, it's a good idea to validate the origin of the request,
+   * since this endpoint exposes the underlying authenticated Fingerprint Server API endpoint.
+   * It's just an extra precaution, you should primarily be using [Request filtering](https://dev.fingerprint.com/docs/request-filtering)
+   * to protect your Public API key from unauthorized usage.
+   */
+  const origin = req.headers['origin'] as string;
+  if (process.env.NODE_ENV === 'production' && !ourOrigins.includes(origin)) {
+    res.status(403).send({ message: `Origin ${origin} is not allowed to call this endpoint` });
+    return;
+  }
+
   const { requestId } = req.query as { requestId: string };
   return await tryGetFingerprintEvent(res, requestId);
 }