trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

fix(auth): allow same-origin browser requests through API middleware

Browse source
This commit is contained in:
Marko Djordjevic 2026-02-18 23:07:42 +01:00
parent d6b980a3ca
commit 3448c6febd
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/proxy.ts
View file

@ -21,6 +21,15 @@ export function proxy(request: NextRequest) {
const requestApiKey = request.headers.get("X-API-Key"); const requestApiKey = request.headers.get("X-API-Key");
// Allow same-origin browser requests (UI -> /api/*) without exposing API_KEY to client JS.
// Keep API key auth for non-browser/external clients.
const fetchSite = request.headers.get("sec-fetch-site");
const isSameOriginBrowserRequest = fetchSite === "same-origin";
if (isSameOriginBrowserRequest) {
return NextResponse.next();
}
if (!requestApiKey || requestApiKey !== apiKey) { if (!requestApiKey || requestApiKey !== apiKey) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
} }