security: fix critical webhook direct upgrade path, seed auth, CORS Vary header

- Webhook polar/route: block direct ?userId=&tier= upgrades in production (NODE_ENV guard)
- Seed route: require ADMIN_SECRET via x-admin-secret header
- Feedback route: require FEEDBACK_ADMIN_TOKEN env var in production
- CORS middleware: add Vary: Origin header for caching correctness
- MOCK_PAYMENTS: add NODE_ENV production guard
- Wallet top-up: add production guard for mock mode when POLAR_ACCESS_TOKEN unset
This commit is contained in:
2026-06-28 01:15:45 +08:00
parent 0c3521ba4c
commit de48918acf
10 changed files with 541 additions and 15 deletions
+9 -1
View File
@@ -11,12 +11,20 @@ import { prisma } from "@/lib/prisma";
export async function POST(req: NextRequest) {
try {
// Check for direct fallback query params (dev/testing)
// Check for direct fallback query params (dev/testing only)
const url = new URL(req.url);
const directUserId = url.searchParams.get("userId");
const directTier = url.searchParams.get("tier");
if (directUserId && directTier) {
// Production guard: never allow direct upgrades in production
if (process.env.NODE_ENV === "production") {
console.error("Direct upgrade blocked — not allowed in production");
return NextResponse.json(
{ error: "Direct upgrades not allowed in production" },
{ status: 403 }
);
}
return handleDirectUpgrade(directUserId, directTier);
}