summaryrefslogtreecommitdiff
path: root/packages/integrations/vercel/src/serverless/entrypoint.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/integrations/vercel/src/serverless/entrypoint.ts')
-rw-r--r--packages/integrations/vercel/src/serverless/entrypoint.ts32
1 files changed, 25 insertions, 7 deletions
diff --git a/packages/integrations/vercel/src/serverless/entrypoint.ts b/packages/integrations/vercel/src/serverless/entrypoint.ts
index a60f03d7a..5dfba7697 100644
--- a/packages/integrations/vercel/src/serverless/entrypoint.ts
+++ b/packages/integrations/vercel/src/serverless/entrypoint.ts
@@ -1,26 +1,44 @@
import type { SSRManifest } from 'astro';
import { applyPolyfills, NodeApp } from 'astro/app/node';
import type { IncomingMessage, ServerResponse } from 'node:http';
-import { ASTRO_PATH_HEADER, ASTRO_PATH_PARAM, ASTRO_LOCALS_HEADER } from './adapter.js';
+import {
+ ASTRO_PATH_HEADER,
+ ASTRO_PATH_PARAM,
+ ASTRO_LOCALS_HEADER,
+ ASTRO_MIDDLEWARE_SECRET_HEADER,
+} from './adapter.js';
applyPolyfills();
-export const createExports = (manifest: SSRManifest) => {
+export const createExports = (
+ manifest: SSRManifest,
+ { middlewareSecret }: { middlewareSecret: string }
+) => {
const app = new NodeApp(manifest);
const handler = async (req: IncomingMessage, res: ServerResponse) => {
const url = new URL(`https://example.com${req.url}`);
const clientAddress = req.headers['x-forwarded-for'] as string | undefined;
const localsHeader = req.headers[ASTRO_LOCALS_HEADER];
+ const middlewareSecretHeader = req.headers[ASTRO_MIDDLEWARE_SECRET_HEADER];
const realPath = req.headers[ASTRO_PATH_HEADER] ?? url.searchParams.get(ASTRO_PATH_PARAM);
if (typeof realPath === 'string') {
req.url = realPath;
}
- const locals =
- typeof localsHeader === 'string'
+
+ let locals = {};
+ if (localsHeader) {
+ if (middlewareSecretHeader !== middlewareSecret) {
+ res.statusCode = 403;
+ res.end('Forbidden');
+ return;
+ }
+ locals = typeof localsHeader === 'string'
? JSON.parse(localsHeader)
- : Array.isArray(localsHeader)
- ? JSON.parse(localsHeader[0])
- : {};
+ : JSON.parse(localsHeader[0]);
+ }
+ // hide the secret from the rest of user code
+ delete req.headers[ASTRO_MIDDLEWARE_SECRET_HEADER];
+
const webResponse = await app.render(req, { addCookieHeader: true, clientAddress, locals });
await NodeApp.writeResponse(webResponse, res);
};
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-08 13:11:56 +0000