From 8a800d33a39098726e723856f752875a7cd310cd Mon Sep 17 00:00:00 2001
From: yashdesu <yash@devprotocol.xyz>
Date: Tue, 10 Dec 2024 18:24:44 +0530
Subject: [PATCH 1/2] feat: add referrer and origin restrictions on storage
 middleware

---
 middleware.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/middleware.ts b/middleware.ts
index e1e82b6..e9893a6 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -15,6 +15,13 @@ export default async function middleware(req: Request) {
 		return next()
 	}
 
+	const allowedDomains = ['https://clubs.place/', 'https://prerelease.clubs.place/']
+	const origin = req.headers.get('origin')
+	const referer = req.headers.get('referer')
+	if (!referer || !allowedDomains.includes(referer) || !origin || !allowedDomains.includes(origin)) {
+		return new Response('Forbidden', { status: 403 });
+	}
+
 	// Fetch nano id of the asset from url.
 	const nanoId = url.pathname.split('/').at(-1)
 	if (!nanoId) {
@@ -36,7 +43,7 @@ export default async function middleware(req: Request) {
 				.then((res: unknown) => (res ? (res as string) : ''))
 				.catch((err: Error) => err as Error),
 	)
-
+	console.log('Original url', originalURL)
 	return originalURL instanceof Error || !originalURL
 		? new Response(JSON.stringify({ error: 'Error occured' }), {
 				status: 500,

From 392d236dc5d6a775b5c239e5459e2194405d9460 Mon Sep 17 00:00:00 2001
From: yashdesu <yash@devprotocol.xyz>
Date: Tue, 10 Dec 2024 18:42:44 +0530
Subject: [PATCH 2/2] feat: add origin and referrer rule in middleware

---
 middleware.ts | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/middleware.ts b/middleware.ts
index e9893a6..6231cff 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,7 +1,7 @@
 /* eslint-disable functional/no-conditional-statements */
-import { whenNotErrorAll } from '@devprotocol/util-ts'
 import { Redis } from '@upstash/redis'
 import { rewrite, next } from '@vercel/edge'
+import { whenNotErrorAll } from '@devprotocol/util-ts'
 
 export const config = {
 	matcher: ['/((?!_astro).*)'],
@@ -15,13 +15,6 @@ export default async function middleware(req: Request) {
 		return next()
 	}
 
-	const allowedDomains = ['https://clubs.place/', 'https://prerelease.clubs.place/']
-	const origin = req.headers.get('origin')
-	const referer = req.headers.get('referer')
-	if (!referer || !allowedDomains.includes(referer) || !origin || !allowedDomains.includes(origin)) {
-		return new Response('Forbidden', { status: 403 });
-	}
-
 	// Fetch nano id of the asset from url.
 	const nanoId = url.pathname.split('/').at(-1)
 	if (!nanoId) {
@@ -30,6 +23,21 @@ export default async function middleware(req: Request) {
 		})
 	}
 
+	const allowedDomains = [
+		'https://clubs.place/',
+		'https://prerelease.clubs.place/',
+	]
+	const origin = req.headers.get('origin')
+	const referer = req.headers.get('referer')
+	if (
+		!referer ||
+		!allowedDomains.includes(referer) ||
+		!origin ||
+		!allowedDomains.includes(origin)
+	) {
+		return new Response('Forbidden', { status: 403 })
+	}
+
 	const client = new Redis({
 		url: process.env.KV_REST_API_URL,
 		token: process.env.KV_REST_API_READ_ONLY_TOKEN,
@@ -43,7 +51,7 @@ export default async function middleware(req: Request) {
 				.then((res: unknown) => (res ? (res as string) : ''))
 				.catch((err: Error) => err as Error),
 	)
-	console.log('Original url', originalURL)
+
 	return originalURL instanceof Error || !originalURL
 		? new Response(JSON.stringify({ error: 'Error occured' }), {
 				status: 500,