server/package.json

@@ -6,7 +6,7 @@
   "type": "module",
   "scripts": {
     "lint": "eslint ./src --max-warnings 0",
-    "dev": "op run --env-file=./dev.env -- tsx watch ./src/index.ts",
+    "dev": "NODE_ENV=dev op run --env-file=./dev.env -- tsx watch ./src/index.ts",
     "build": "tsc",
     "start": "op run --env-file=./prod.env -- node ./prod/index.js",
     "test": "echo 'No tests yet' && exit 0"

server/src/hooks/cors.ts

@@ -6,6 +6,19 @@
 
 import type { onRequestHookHandler } from "fastify";
 
+const isValidOrigin = (origin: string | undefined): boolean => {
+  if (origin === undefined) {
+    // We do not allow server-to-server requests.
+    return false;
+  }
+  if (process.env.NODE_ENV === "dev" && origin === "http://localhost:4200") {
+    // We allow the client to access the server when both are running locally.
+    return true;
+  }
+  // Otherwise, we only allow requests from our web application.
+  return origin === "https://hikari.nhcarrigan.com";
+};
+
 /**
  * Ensures that form submissions only come from our web application.
  * @param request - The request payload from the server.
@@ -17,13 +30,11 @@ export const corsHook: onRequestHookHandler = async(request, response) => {
   if (!request.url.startsWith("/submit")) {
     return undefined;
   }
-  if (request.headers.origin !== "http://localhost:4200"
-      && request.headers.origin !== "https://hikari.nhcarrigan.com") {
-    console.log(request);
-    return await response.
-      status(403).
-      send({
-        error: "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
+  if (!isValidOrigin(request.headers.origin)) {
+    return await response.status(403).send({
+      error:
+        // eslint-disable-next-line stylistic/max-len -- This is a long error message.
+        "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
     });
   }
   return undefined;