diff --git a/apps/cli/src/commands/serve.command.ts b/apps/cli/src/commands/serve.command.ts index 6900b1f93f..99cd43a2db 100644 --- a/apps/cli/src/commands/serve.command.ts +++ b/apps/cli/src/commands/serve.command.ts @@ -149,14 +149,31 @@ export class ServeCommand { } async run(options: program.OptionValues) { + const protectOrigin = !options.disableOriginProtection; const port = options.port || 8087; const hostname = options.hostname || "localhost"; + this.main.logService.info( + `Starting server on ${hostname}:${port} with ${ + protectOrigin ? "origin protection" : "no origin protection" + }` + ); + const server = new koa(); const router = new koaRouter(); process.env.BW_SERVE = "true"; process.env.BW_NOINTERACTION = "true"; - server.use(koaBodyParser()).use(koaJson({ pretty: false, param: "pretty" })); + server + .use(async (ctx, next) => { + if (protectOrigin && ctx.headers.origin != undefined) { + ctx.status = 403; + this.main.logService.warning(`Blocking request from ${ctx.headers.origin}`); + return; + } + await next(); + }) + .use(koaBodyParser()) + .use(koaJson({ pretty: false, param: "pretty" })); router.get("/generate", async (ctx, next) => { const response = await this.generateCommand.run(ctx.request.query); diff --git a/apps/cli/src/program.ts b/apps/cli/src/program.ts index f3f04b6d51..7182d1acd1 100644 --- a/apps/cli/src/program.ts +++ b/apps/cli/src/program.ts @@ -476,6 +476,10 @@ export class Program extends BaseProgram { .description("Start a RESTful API webserver.") .option("--hostname ", "The hostname to bind your API webserver to.") .option("--port ", "The port to run your API webserver on.") + .option( + "--disable-origin-protection", + "If set, allows requests with origin header. Not recommended!" + ) .on("--help", () => { writeLn("\n Notes:"); writeLn("");