security: fix critical webhook direct upgrade path, seed auth, CORS Vary header
Deploy Staging / build (push) Failing after 26m15s
Deploy Staging / build (push) Failing after 26m15s
- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard) - Seed route: require ADMIN_SECRET via x-admin-secret header - Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production - CORS middleware: add Vary: Origin header for caching correctness - MOCK_PAYMENTS: add NODE_ENV production guard - Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
This commit is contained in:
@@ -30,8 +30,15 @@ export async function POST(req: NextRequest) {
|
||||
const pricing = TOP_UP_AMOUNTS[amount as keyof typeof TOP_UP_AMOUNTS];
|
||||
const totalFlh = amount + (pricing.bonus || 0);
|
||||
|
||||
// Mock mode: use when POLAR_ACCESS_TOKEN is not configured
|
||||
// Mock mode: use when POLAR_ACCESS_TOKEN is not configured (dev only)
|
||||
if (!process.env.POLAR_ACCESS_TOKEN) {
|
||||
// Production guard: never allow mock top-ups in production
|
||||
if (process.env.NODE_ENV === "production") {
|
||||
return NextResponse.json(
|
||||
{ error: "Payment service not configured" },
|
||||
{ status: 500 }
|
||||
);
|
||||
}
|
||||
await prisma.user.update({
|
||||
where: { id: jwtPayload.userId },
|
||||
data: { flhBalance: { increment: totalFlh } },
|
||||
|
||||
Reference in New Issue
Block a user