feat: client and server logic to manage announcements #3

Merged
naomi merged 8 commits from feat/announcements into main 2025-07-05 19:27:21 -07:00
27 changed files with 2008 additions and 106 deletions
Showing only changes of commit 3b2d6729f3 - Show all commits

View File

@ -6,7 +6,7 @@
"type": "module", "type": "module",
"scripts": { "scripts": {
"lint": "eslint ./src --max-warnings 0", "lint": "eslint ./src --max-warnings 0",
"dev": "op run --env-file=./dev.env -- tsx watch ./src/index.ts", "dev": "NODE_ENV=dev op run --env-file=./dev.env -- tsx watch ./src/index.ts",
"build": "tsc", "build": "tsc",
"start": "op run --env-file=./prod.env -- node ./prod/index.js", "start": "op run --env-file=./prod.env -- node ./prod/index.js",
"test": "echo 'No tests yet' && exit 0" "test": "echo 'No tests yet' && exit 0"

View File

@ -6,6 +6,19 @@
import type { onRequestHookHandler } from "fastify"; import type { onRequestHookHandler } from "fastify";
const isValidOrigin = (origin: string | undefined): boolean => {
if (origin === undefined) {
// We do not allow server-to-server requests.
return false;
}
if (process.env.NODE_ENV === "dev" && origin === "http://localhost:4200") {
// We allow the client to access the server when both are running locally.
return true;
}
// Otherwise, we only allow requests from our web application.
return origin === "https://hikari.nhcarrigan.com";
};
/** /**
* Ensures that form submissions only come from our web application. * Ensures that form submissions only come from our web application.
* @param request - The request payload from the server. * @param request - The request payload from the server.
@ -17,13 +30,11 @@ export const corsHook: onRequestHookHandler = async(request, response) => {
if (!request.url.startsWith("/submit")) { if (!request.url.startsWith("/submit")) {
return undefined; return undefined;
} }
if (request.headers.origin !== "http://localhost:4200" if (!isValidOrigin(request.headers.origin)) {
&& request.headers.origin !== "https://hikari.nhcarrigan.com") { return await response.status(403).send({
console.log(request); error:
return await response. // eslint-disable-next-line stylistic/max-len -- This is a long error message.
status(403). "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
send({
error: "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
}); });
} }
return undefined; return undefined;