diff --git a/src/auth.js b/src/auth.js index f80da4f..117e7ae 100644 --- a/src/auth.js +++ b/src/auth.js @@ -80,12 +80,20 @@ export function checkOrigin(req, res, next) { if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next(); const origin = req.get('origin') || req.get('referer'); if (origin) { + const allowed = allowedHosts(req); try { const host = new URL(origin).host; - if (allowedHosts(req).has(host)) return next(); + if (allowed.has(host)) return next(); } catch { /* fall through */ } + log.warn('checkOrigin rejected', { + origin, + host: req.get('host'), + xForwardedHost: req.get('x-forwarded-host'), + allowed: [...allowed], + path: req.path, + }); return res.status(403).send('Bad origin'); } // No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers.