mail edge function: only authorize backend (#2490)

* Update filters-defaults.ts

hotfix

* mail edge function: only authorize backend

* create a Middleware to ensure the request originates from a trusted backend service.

* Update middlewares.ts

explicit return

Author: J43fura

supabase/functions/_shared/middlewares.ts

@@ -1,5 +1,8 @@
+import { Context, Next } from "hono";
 import { NextFunction, Request, Response } from "npm:express";
-import { createSupabaseClient } from "./supabase-self-hosted.ts";
+import { createSupabaseClient } from "./supabase.ts";
+
+const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
 
 export async function authorizeUser(
   req: Request,
@@ -15,3 +18,20 @@ export async function authorizeUser(
   res.locals.user = user;
   return next();
 }
+
+/**
+ * Middleware to ensure the request originates from a trusted backend service.
+ */
+export async function verifyServiceRole(c: Context, next: Next) {
+  const authHeader = c.req.header("authorization");
+  if (!authHeader) {
+    return c.json({ error: "Missing authorization header" }, 401);
+  }
+
+  const token = authHeader.split(" ")[1];
+  if (!token || token !== serviceRoleKey) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+
+  return await next();
+}

supabase/functions/mail/index.ts

@@ -1,9 +1,12 @@
 import { Context, Hono } from "hono";
+import { verifyServiceRole } from "../_shared/middlewares.ts";
 import mailMiningComplete from "./mining-complete/index.ts";
 
 const functionName = "mail";
 const app = new Hono().basePath(`/${functionName}`);
 
+app.use("*", verifyServiceRole);
+
 app.post("/mining-complete", async (c: Context) => {
   const { miningId } = await c.req.json();
 
@@ -20,6 +23,4 @@ app.post("/mining-complete", async (c: Context) => {
   }
 });
 
-Deno.serve((req) => {
-  return app.fetch(req);
-});
+Deno.serve((req) => app.fetch(req));