fix: check origin in the event endpoint

fingerprintjs · Mar 5, 2024 · fbb0f5c · fbb0f5c
1 parent 270bbbf
commit fbb0f5c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/src/client/components/playground/usePlaygroundSignals.ts b/src/client/components/playground/usePlaygroundSignals.ts
@@ -23,7 +23,7 @@ export function usePlaygroundSignals() {
   } = useQuery<EventResponse | undefined>(
     [requestId],
     () =>
-      fetch(`/api/event/${agentResponse?.requestId}`).then((res) => {
+      fetch(`/api/event/${agentResponse?.requestId}`, { method: 'POST' }).then((res) => {
         if (res.status !== 200) {
           throw new Error(`${res.statusText}`);
         }

diff --git a/src/pages/api/event/[requestId].ts b/src/pages/api/event/[requestId].ts
@@ -1,9 +1,23 @@
 import { isEventError } from '@fingerprintjs/fingerprintjs-pro-server-api';
 import { NextApiRequest, NextApiResponse } from 'next';
 import { fingerprintJsApiClient } from '../../../server/fingerprint-api';
+import { ourOrigins } from '../../../server/server';
 
 export default async function getFingerprintEvent(req: NextApiRequest, res: NextApiResponse) {
   const { requestId } = req.query as { requestId: string };
+
+  /**
+   * In production, it's a good idea to validate the origin of the request,
+   * since this endpoint exposes the underlying authenticated Fingerprint Server API endpoint.
+   * It's just an extra layer of protection, you should primarily be using [Request filtering](https://dev.fingerprint.com/docs/request-filtering)
+   * to protect your Public API key from unauthorized usage.
+   */
+  const origin = req.headers['origin'];
+  if (process.env.NODE_ENV === 'production' && !ourOrigins.includes(origin as string)) {
+    res.status(403).send({ message: `Origin ${origin} is not allowed to call this endpoint` });
+    return;
+  }
+
   return await tryGetFingerprintEvent(res, requestId);
 }