From a45a59c1b557646db05d93ed7b4d05d61960f358 Mon Sep 17 00:00:00 2001
From: Juraj Uhlar <juro.uhlar@gmail.com>
Date: Thu, 7 Mar 2024 08:20:19 -0300
Subject: [PATCH] fix: check origin in the event endpoint INTER-570 (#127)

* fix: check origin in the event endpoint

* fix: try pretteirin eslintrc
---
 .eslintrc.js                                        |  2 +-
 .../components/playground/usePlaygroundSignals.ts   |  2 +-
 src/pages/api/event/[requestId].ts                  | 13 +++++++++++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.eslintrc.js b/.eslintrc.js
index 805c813d..d747db8e 100644
--- a/.eslintrc.js
+++ b/.eslintrc.js
@@ -4,7 +4,7 @@ module.exports = {
     'next/core-web-vitals',
     '@fingerprintjs/eslint-config-dx-team',
     // necessary to pickup project-specific overrides in prettierrc.js
-    'plugin:prettier/recommended',
+    'prettier',
   ],
   plugins: ['react-hooks', 'jsx-a11y'],
   rules: {
diff --git a/src/client/components/playground/usePlaygroundSignals.ts b/src/client/components/playground/usePlaygroundSignals.ts
index ffc8ae74..aa43fabc 100644
--- a/src/client/components/playground/usePlaygroundSignals.ts
+++ b/src/client/components/playground/usePlaygroundSignals.ts
@@ -23,7 +23,7 @@ export function usePlaygroundSignals() {
   } = useQuery<EventResponse | undefined>(
     [requestId],
     () =>
-      fetch(`/api/event/${agentResponse?.requestId}`).then((res) => {
+      fetch(`/api/event/${agentResponse?.requestId}`, { method: 'POST' }).then((res) => {
         if (res.status !== 200) {
           throw new Error(`${res.statusText}`);
         }
diff --git a/src/pages/api/event/[requestId].ts b/src/pages/api/event/[requestId].ts
index bf779fe4..0d3656fb 100644
--- a/src/pages/api/event/[requestId].ts
+++ b/src/pages/api/event/[requestId].ts
@@ -1,8 +1,21 @@
 import { isEventError } from '@fingerprintjs/fingerprintjs-pro-server-api';
 import { NextApiRequest, NextApiResponse } from 'next';
 import { fingerprintJsApiClient } from '../../../server/fingerprint-api';
+import { ourOrigins } from '../../../server/server';
 
 export default async function getFingerprintEvent(req: NextApiRequest, res: NextApiResponse) {
+  /**
+   * In production, it's a good idea to validate the origin of the request,
+   * since this endpoint exposes the underlying authenticated Fingerprint Server API endpoint.
+   * It's just an extra precaution, you should primarily be using [Request filtering](https://dev.fingerprint.com/docs/request-filtering)
+   * to protect your Public API key from unauthorized usage.
+   */
+  const origin = req.headers['origin'] as string;
+  if (process.env.NODE_ENV === 'production' && !ourOrigins.includes(origin)) {
+    res.status(403).send({ message: `Origin ${origin} is not allowed to call this endpoint` });
+    return;
+  }
+
   const { requestId } = req.query as { requestId: string };
   return await tryGetFingerprintEvent(res, requestId);
 }