From 24fd3fc26aafb3ad381438376213fc8e31b2ca0b Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Tue, 12 Nov 2024 09:23:30 -0300
Subject: [PATCH] security: restrict the setting of CORS headers to
 inv.nadeko.net related domains

---
 main.go | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index cee7c20..8fd0aaf 100644
--- a/main.go
+++ b/main.go
@@ -321,16 +321,27 @@ func beforeProxy(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		defer panicHandler(w)
 
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Headers", "*")
-		w.Header().Set("Access-Control-Max-Age", "1728000")
-
 		// To prevent accessing from the bare IP address
 		if req.Host == "" || net.ParseIP(strings.Split(req.Host, ":")[0]) != nil {
 			w.WriteHeader(444)
 			return
 		}
 
+		// Only allow requests from origin inv.nadeko.net
+		// Why? Because I don't want anyone to use this proxy for their own purposes.
+		// Hardcoded because I'm lazy lol!
+		origin := req.URL.Query().Get("Origin")
+		if origin == "https://inv.nadeko.net" || origin == "https://materialious.nadeko.net" {
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.Header().Set("Access-Control-Allow-Headers", "*")
+			w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
+			w.Header().Set("Access-Control-Max-Age", "1728000")
+		} else {
+			w.WriteHeader(401)
+			io.WriteString(w, "Only requests coming from inv.nadeko.net are allowed.")
+			return
+		}
+
 		if h3s {
 			w.Header().Set("Alt-Svc", "h3=\":8443\"; ma=86400")
 		}