security: fix critical webhook direct upgrade path, seed auth, CORS Vary header
- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard) - Seed route: require ADMIN_SECRET via x-admin-secret header - Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production - CORS middleware: add Vary: Origin header for caching correctness - MOCK_PAYMENTS: add NODE_ENV production guard - Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
This commit is contained in:
@@ -11,12 +11,20 @@ import { prisma } from "@/lib/prisma";
|
||||
|
||||
export async function POST(req: NextRequest) {
|
||||
try {
|
||||
// Check for direct fallback query params (dev/testing)
|
||||
// Check for direct fallback query params (dev/testing only)
|
||||
const url = new URL(req.url);
|
||||
const directUserId = url.searchParams.get("userId");
|
||||
const directTier = url.searchParams.get("tier");
|
||||
|
||||
if (directUserId && directTier) {
|
||||
// Production guard: never allow direct upgrades in production
|
||||
if (process.env.NODE_ENV === "production") {
|
||||
console.error("Direct upgrade blocked — not allowed in production");
|
||||
return NextResponse.json(
|
||||
{ error: "Direct upgrades not allowed in production" },
|
||||
{ status: 403 }
|
||||
);
|
||||
}
|
||||
return handleDirectUpgrade(directUserId, directTier);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user