chore: production origin hardcoded

speakeasy-api · Jan 11, 2025 · cb7d88c · cb7d88c
1 parent 08150c8
commit cb7d88c
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/web/api/share.ts b/web/api/share.ts
@@ -2,12 +2,13 @@ import { put } from "@vercel/blob";
 import { createHash } from "crypto";
 
 const MAX_DATA_SIZE = 5 * 1024 * 1024; // 5MB
-const AllowedOrigin = process.env.VERCEL_URL ?? "http://localhost";
+const AllowedOrigin = process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost";
+const productionOrigin = "https://overlay.speakeasy.com";
 
 export function POST(request: Request) {
   const origin = request.headers.get("Origin");
 
-  if (!origin || !origin.includes(AllowedOrigin)) {
+  if (!origin || (!origin.startsWith(AllowedOrigin) && !origin.startsWith(productionOrigin))) {
     return new Response("Unauthorized", { status: 403 });
   }