From da99cfdb606cb5253c3c934af96622852221cf9a Mon Sep 17 00:00:00 2001 From: portakal Date: Tue, 16 Jun 2026 14:53:32 +0300 Subject: [PATCH] diag: log checkOrigin rejections --- src/auth.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/auth.js b/src/auth.js index f80da4f..117e7ae 100644 --- a/src/auth.js +++ b/src/auth.js @@ -80,12 +80,20 @@ export function checkOrigin(req, res, next) { if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next(); const origin = req.get('origin') || req.get('referer'); if (origin) { + const allowed = allowedHosts(req); try { const host = new URL(origin).host; - if (allowedHosts(req).has(host)) return next(); + if (allowed.has(host)) return next(); } catch { /* fall through */ } + log.warn('checkOrigin rejected', { + origin, + host: req.get('host'), + xForwardedHost: req.get('x-forwarded-host'), + allowed: [...allowed], + path: req.path, + }); return res.status(403).send('Bad origin'); } // No Origin/Referer header (e.g. some curl uploads) — allow; SameSite cookie still guards browsers.