diff --git a/src/client/components/playground/usePlaygroundSignals.ts b/src/client/components/playground/usePlaygroundSignals.ts index ffc8ae74..aa43fabc 100644 --- a/src/client/components/playground/usePlaygroundSignals.ts +++ b/src/client/components/playground/usePlaygroundSignals.ts @@ -23,7 +23,7 @@ export function usePlaygroundSignals() { } = useQuery( [requestId], () => - fetch(`/api/event/${agentResponse?.requestId}`).then((res) => { + fetch(`/api/event/${agentResponse?.requestId}`, { method: 'POST' }).then((res) => { if (res.status !== 200) { throw new Error(`${res.statusText}`); } diff --git a/src/pages/api/event/[requestId].ts b/src/pages/api/event/[requestId].ts index bf779fe4..40c29923 100644 --- a/src/pages/api/event/[requestId].ts +++ b/src/pages/api/event/[requestId].ts @@ -1,9 +1,23 @@ import { isEventError } from '@fingerprintjs/fingerprintjs-pro-server-api'; import { NextApiRequest, NextApiResponse } from 'next'; import { fingerprintJsApiClient } from '../../../server/fingerprint-api'; +import { ourOrigins } from '../../../server/server'; export default async function getFingerprintEvent(req: NextApiRequest, res: NextApiResponse) { const { requestId } = req.query as { requestId: string }; + + /** + * In production, it's a good idea to validate the origin of the request, + * since this endpoint exposes the underlying authenticated Fingerprint Server API endpoint. + * It's just an extra layer of protection, you should primarily be using [Request filtering](https://dev.fingerprint.com/docs/request-filtering) + * to protect your Public API key from unauthorized usage. + */ + const origin = req.headers['origin']; + if (process.env.NODE_ENV === 'production' && !ourOrigins.includes(origin as string)) { + res.status(403).send({ message: `Origin ${origin} is not allowed to call this endpoint` }); + return; + } + return await tryGetFingerprintEvent(res, requestId); }