validate request headers

Author: ScriptRaccoon

src/components/SuggestionForm.svelte

@@ -33,6 +33,7 @@
 			const res = await fetch('/api/issue', {
 				method: 'POST',
 				body: JSON.stringify({ title, body, url: page.url.href, name }),
+				headers: { 'Content-Type': 'application/json' },
 			})
 
 			const res_json = await res.json()

src/routes/api/issue/+server.ts

@@ -10,6 +10,7 @@ import {
 	GITHUB_REPO,
 	TITLE_MAX_LENGTH,
 	NAME_MAX_LENGTH,
+	ORIGIN,
 } from './config'
 import { flag_violation, is_blocked, has_profanity, rate_limit } from '$lib/server/redis'
 
@@ -72,6 +73,16 @@ async function parse_data(
 ): Promise<
 	{ error: string } | { title: string; body: string; url: string; name: string }
 > {
+	const content_type = request.headers.get('Content-Type')
+	if (content_type !== 'application/json') {
+		return { error: 'Forbidden' }
+	}
+
+	const origin = request.headers.get('origin') ?? ''
+	if (!request.url.startsWith(origin)) {
+		return { error: 'Forbidden' }
+	}
+
 	let data
 	try {
 		data = await request.json()

src/routes/api/issue/config.ts

@@ -5,3 +5,4 @@ export const GITHUB_REPO = 'CatDat'
 export const TITLE_MAX_LENGTH = 50
 export const BODY_MAX_LENGTH = 10000
 export const NAME_MAX_LENGTH = 50
+export const ORIGIN = 'https://catdat.app'