security: remove unsafe-eval CSP, fix host header injection, harden API routes

- Remove unsafe-eval from script-src CSP (not needed in production) - Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share and checkout routes to prevent host header injection - Add .catch() to request.json() in share POST and PATCH routes - Add rate limiting (3/min) to account deletion endpoint
author: Fuwn <[email protected]> 2026-02-07 05:35:28 -0800
committer: Fuwn <[email protected]> 2026-02-07 05:35:28 -0800
commit: c4b2813cc07a72ad7186347a2e003c01cf0d4fb0 (patch)
tree: ef9e2991084139e649dc7f6d3ada0795789a55f0 /apps/web/app/api/share/[token]/route.ts
parent: fix: dynamically calculate detail panel equal split from current layout (diff)
download: asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.tar.xz
asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/apps/web/app/api/share/[token]/route.ts b/apps/web/app/api/share/[token]/route.ts
index d1d57b5..20de1ae 100644
--- a/apps/web/app/api/share/[token]/route.ts
+++ b/apps/web/app/api/share/[token]/route.ts
@@ -48,7 +48,10 @@ export async function PATCH(
   }
 
   const { token } = await params
-  const body = await request.json()
+  const body = await request.json().catch(() => null)
+  if (!body || typeof body !== "object") {
+    return NextResponse.json({ error: "invalid request body" }, { status: 400 })
+  }
   const rawNote = body.note
 
   let note: string | null = null
author	Fuwn <[email protected]>	2026-02-07 05:35:28 -0800
committer	Fuwn <[email protected]>	2026-02-07 05:35:28 -0800
commit	c4b2813cc07a72ad7186347a2e003c01cf0d4fb0 (patch)
tree	ef9e2991084139e649dc7f6d3ada0795789a55f0 /apps/web/app/api/share/[token]/route.ts
parent	fix: dynamically calculate detail panel equal split from current layout (diff)
download	asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.tar.xz asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.zip