fix: cross-site POST requests (#184)

jthegedus · Sep 8, 2022 · e2d8081 · e2d8081
1 parent 410a103
commit e2d8081
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/src/files/entry.js b/src/files/entry.js
@@ -4,6 +4,7 @@ import {manifest} from 'MANIFEST';
 import {toSvelteKitRequest} from './firebase-to-svelte-kit.js';
 
 const server = new Server(manifest);
+
 /**
  * Firebase Cloud Function handler for SvelteKit
  *

diff --git a/src/files/firebase-to-svelte-kit.js b/src/files/firebase-to-svelte-kit.js
@@ -5,7 +5,10 @@
  * @return {import('@sveltejs/kit').IncomingRequest}
  */
 export function toSvelteKitRequest(request) {
-	const host = `${request.headers['x-forwarded-proto']}://${request.headers.host}`;
+	// Firebase sometimes omits the protocol used. Default to http.
+	const protocol = request.headers['x-forwarded-proto'] || 'http';
+	// Firebase forwards the request to sveltekit, use the forwarded host.
+	const host = `${protocol}://${request.headers['x-forwarded-host']}`;
 	const {href, pathname, searchParams: searchParameters} = new URL(request.url || '', host);
 	// eslint-disable-next-line no-undef
 	return new Request(href, {

diff --git a/tests/end-to-end/test.bash b/tests/end-to-end/test.bash
@@ -93,10 +93,10 @@ if [[ "${RESULT}" != *"${EXPECTED_SUBSTRING}"* ]]; then
 fi
 
 echo "${INDICATOR}Test POST to '/todos' API"
-EXPECTED_SUBSTRING='"text":"asdf"'
+EXPECTED_SUBSTRING='{"type":"success","status":204}'
 # expected result = {"uid":"","created_at":01234,"text":"asdf","done":false}
 # generated from the browser & copied with 'copy for cURL' browser context menu
-RESULT="$(curl -X POST "http://localhost:${PORT}/todos" \
+RESULT="$(curl -X POST "http://localhost:${PORT}/todos?/add" \
 	-H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" \
 	-H "Accept: */*" \
 	-H "Accept-Language: en-GB,en;q=0.5" \