allow remote comments only from expected url

2025-06-25 20:05:37 -07:00 · 2025-06-25 20:05:37 -07:00 · 306053b1e3
commit 306053b1e3
parent a72d32850b
2 changed files with 15 additions and 0 deletions
--- a/cmd/web/handlers_guestbook.go
+++ b/cmd/web/handlers_guestbook.go
@ -257,6 +257,11 @@ func (app *application) postGuestbookCommentCreateRemote(w http.ResponseWriter,
 		return
 	}

+	if normalizeUrl(r.Header.Get("Origin")) != normalizeUrl(website.SiteUrl) {
+		app.clientError(w, http.StatusForbidden)
+		return
+	}
+
 	if !website.Guestbook.CanComment() {
 		app.clientError(w, http.StatusForbidden)
 		return
--- a/cmd/web/helpers.go
+++ b/cmd/web/helpers.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"runtime/debug"
 	"strconv"
+	"strings"
 	"time"

 	"git.32bit.cafe/32bitcafe/guestbook/internal/models"
@ -127,3 +128,12 @@ func (app *application) durationToTime(duration string) (time.Time, error) {
 	result = time.Now().UTC().Add(offset)
 	return result, nil
 }
+
+func normalizeUrl(url string) string {
+	r, f := strings.CutPrefix(url, "http://")
+	if f {
+		return r
+	}
+	r, _ = strings.CutPrefix(url, "https://")
+	return r
+}