only gitranks.com can trigger graphql endpoint

Author: maslianok

app/api/badge/[login]/route.tsx

@@ -1,6 +1,6 @@
 import { redirect } from 'next/navigation';
 import { NextRequest } from 'next/server';
-import { BadgeTemplateType, BadgeType } from '@/badge/badge.types';
+import { BadgeTemplateType, BadgeType, ThemeType } from '@/badge/badge.types';
 import { renderSmallBadge } from '@/badge/templates/small/small.render';
 import { renderMediumBadge } from '@/badge/templates/medium/medium.render';
 
@@ -16,12 +16,12 @@ const getRendererByTemplate = (template: BadgeTemplateType) => {
 };
 
 export async function GET(req: NextRequest, { params }: Props) {
-  const theme = 'light';
   const { login } = await params;
 
   const searchParams = req.nextUrl.searchParams;
   const type = searchParams.get('type') as BadgeType;
   const template = searchParams.get('template') as BadgeTemplateType;
+  const theme = (searchParams.get('theme') ?? 'light') as ThemeType;
 
   const svg = await getRendererByTemplate(template)({ theme, login, type });
 

app/api/graphql/route.ts

@@ -1,6 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 export async function POST(req: NextRequest) {
+  const isProd = process.env.NODE_ENV === 'production';
+
+  if (isProd) {
+    const origin = req.headers.get('origin') || req.headers.get('referer');
+    const host = req.headers.get('host');
+    const protocol = req.headers.get('x-forwarded-proto') || 'https';
+    const expectedOrigin = `${protocol}://${host}`;
+
+    if (!origin || !origin.startsWith(expectedOrigin)) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+    }
+  }
+
   try {
     const { query, variables } = await req.json();