From 3b2d6729f3c4a934f6555e5a18f8134add9fcaf1 Mon Sep 17 00:00:00 2001
From: Naomi Carrigan <commits@nhcarrigan.com>
Date: Sat, 5 Jul 2025 19:18:10 -0700
Subject: [PATCH] fix: resolve linter errors

---
 server/package.json      |  2 +-
 server/src/hooks/cors.ts | 27 +++++++++++++++++++--------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/server/package.json b/server/package.json
index a698045..4d9ad95 100644
--- a/server/package.json
+++ b/server/package.json
@@ -6,7 +6,7 @@
   "type": "module",
   "scripts": {
     "lint": "eslint ./src --max-warnings 0",
-    "dev": "op run --env-file=./dev.env -- tsx watch ./src/index.ts",
+    "dev": "NODE_ENV=dev op run --env-file=./dev.env -- tsx watch ./src/index.ts",
     "build": "tsc",
     "start": "op run --env-file=./prod.env -- node ./prod/index.js",
     "test": "echo 'No tests yet' && exit 0"
diff --git a/server/src/hooks/cors.ts b/server/src/hooks/cors.ts
index 670fa24..8d470e5 100644
--- a/server/src/hooks/cors.ts
+++ b/server/src/hooks/cors.ts
@@ -6,6 +6,19 @@
 
 import type { onRequestHookHandler } from "fastify";
 
+const isValidOrigin = (origin: string | undefined): boolean => {
+  if (origin === undefined) {
+    // We do not allow server-to-server requests.
+    return false;
+  }
+  if (process.env.NODE_ENV === "dev" && origin === "http://localhost:4200") {
+    // We allow the client to access the server when both are running locally.
+    return true;
+  }
+  // Otherwise, we only allow requests from our web application.
+  return origin === "https://hikari.nhcarrigan.com";
+};
+
 /**
  * Ensures that form submissions only come from our web application.
  * @param request - The request payload from the server.
@@ -17,14 +30,12 @@ export const corsHook: onRequestHookHandler = async(request, response) => {
   if (!request.url.startsWith("/submit")) {
     return undefined;
   }
-  if (request.headers.origin !== "http://localhost:4200"
-      && request.headers.origin !== "https://hikari.nhcarrigan.com") {
-    console.log(request);
-    return await response.
-      status(403).
-      send({
-        error: "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
-      });
+  if (!isValidOrigin(request.headers.origin)) {
+    return await response.status(403).send({
+      error:
+        // eslint-disable-next-line stylistic/max-len -- This is a long error message.
+        "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
+    });
   }
   return undefined;
 };