cors fix

src/pages/api/game/[id]/complete.ts

@@ -1,9 +1,11 @@
 import type { APIRoute } from "astro";
 import { init, getGame, updateGame, getUser, updateUserStats, addRatingHistory, json } from "@utils/db";
-import { getUserFromRequest } from "@utils/auth";
+import { getUserFromRequest, checkOrigin } from "@utils/auth";
 import { calculateNewRatings } from "@utils/elo";
 
 export const POST: APIRoute = async ({ request, params }) => {
+  const blocked = checkOrigin(request);
+  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);

src/pages/api/game/[id]/index.ts

@@ -1,6 +1,6 @@
 import type { APIRoute } from "astro";
 import { init, getGame, updateGame, json } from "@utils/db";
-import { getUserFromRequest } from "@utils/auth";
+import { getUserFromRequest, checkOrigin } from "@utils/auth";
 
 export const GET: APIRoute = async ({ params }) => {
   await init();
@@ -11,12 +11,11 @@ export const GET: APIRoute = async ({ params }) => {
 
 // Join as player 2
 export const POST: APIRoute = async ({ request, params }) => {
+  const blocked = checkOrigin(request);
+  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);
-
-  console.log(request.headers.get("cookie"));
-  console.log(currentUser);
   if (!currentUser) return json({ error: "Not authenticated" }, 401);
 
   const game = await getGame(params.id!);

src/pages/api/game/[id]/score.ts

@@ -1,8 +1,10 @@
 import type { APIRoute } from "astro";
 import { init, getGame, updateGame, json } from "@utils/db";
-import { getUserFromRequest } from "@utils/auth";
+import { getUserFromRequest, checkOrigin } from "@utils/auth";
 
 export const PATCH: APIRoute = async ({ request, params }) => {
+  const blocked = checkOrigin(request);
+  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);

src/pages/api/game/index.ts

@@ -1,6 +1,6 @@
 import type { APIRoute } from "astro";
 import { init, createGame, getRecentGames, json } from "@utils/db";
-import { getUserFromRequest } from "@utils/auth";
+import { getUserFromRequest, checkOrigin } from "@utils/auth";
 
 export const GET: APIRoute = async () => {
   await init();
@@ -9,13 +9,11 @@ export const GET: APIRoute = async () => {
 };
 
 export const POST: APIRoute = async ({ request }) => {
+  const blocked = checkOrigin(request);
+  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);
-
-  console.log(request.headers.get("cookie"));
-  console.log(currentUser);
-
   if (!currentUser) return json({ error: "Not authenticated" }, 401);
 
   const id = crypto.randomUUID().replace(/-/g, "").slice(0, 12);

src/utils/auth.ts

@@ -15,6 +15,17 @@ export function clearUserCookie(): string {
   return `klask_user=; Path=/; SameSite=Lax; Max-Age=0`;
 }
 
+export function checkOrigin(request: Request): Response | null {
+  const origin = request.headers.get("origin");
+  if (!origin) return null; // same-origin requests (non-browser) omit Origin
+  const requestUrl = new URL(request.url);
+  if (origin === requestUrl.origin) return null;
+  return new Response(JSON.stringify({ error: "Forbidden" }), {
+    status: 403,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
 export function validateName(name: string): string | null {
   const trimmed = name.trim();
   if (trimmed.length < 2) return "Name must be at least 2 characters";