Improve CORS origin handling; extend invoice repo/service and payments dispatch; rate limit and nginx config updates

Made-with: Love
2026-04-29 05:44:59 +00:00
parent 2cb17df4c5
commit a01797e9b2
12 changed files with 224 additions and 35 deletions
--- a/internal/http/docs/openapi.yaml
+++ b/internal/http/docs/openapi.yaml
@@ -112,6 +112,11 @@ paths:
    post:
      tags: [User]
      summary: Create payment invoice
+      description: |
+        Creates a new Lightning invoice. If this pubkey already has an unpaid, unexpired invoice
+        for the same subscription_type (and same years when yearly), that invoice is returned
+        (idempotent resume). If an unpaid invoice exists for a different plan, it is discarded and
+        a new invoice is created for the requested plan.
      requestBody:
        required: true
        content:
@@ -140,7 +145,7 @@ paths:
              schema: { $ref: '#/components/schemas/Invoice' }
        '400': { description: Validation error, content: { application/json: { schema: { $ref: '#/components/schemas/Error' } } } }
        '403': { description: Forbidden — user already has lifetime access, content: { application/json: { schema: { $ref: '#/components/schemas/Error' } } } }
-        '409': { description: Conflict — username unavailable or pending invoice already exists, content: { application/json: { schema: { $ref: '#/components/schemas/Error' } } } }
+        '409': { description: Conflict — username unavailable, content: { application/json: { schema: { $ref: '#/components/schemas/Error' } } } }
        '503': { description: Lightning unavailable, content: { application/json: { schema: { $ref: '#/components/schemas/Error' } } } }
  /v1/invoices/{payment_hash}:
    get:
--- a/internal/http/handlers/invoices.go
+++ b/internal/http/handlers/invoices.go
@@ -63,8 +63,6 @@ func (h *Invoices) Create(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case errors.Is(err, invoice.ErrLifetimeAccess):
 			WriteError(w, http.StatusForbidden, "User already has lifetime access", "")
-		case errors.Is(err, invoice.ErrPendingInvoiceExists):
-			WriteError(w, http.StatusConflict, "Conflict", err.Error())
 		case errors.Is(err, invoice.ErrUsernameTaken),
 			errors.Is(err, user.ErrUsernameTaken):
 			WriteError(w, http.StatusConflict, "Conflict", "username unavailable")
--- a/internal/http/middleware/cors.go
+++ b/internal/http/middleware/cors.go
@@ -1,18 +1,70 @@
 package middleware

-import "net/http"
+import (
+	"net/http"
+	"net/url"
+	"strings"

-func CORS(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		h := w.Header()
-		h.Set("Access-Control-Allow-Origin", "*")
-		h.Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
-		h.Set("Access-Control-Allow-Headers", "Content-Type, X-API-Key, Authorization")
-		h.Set("Access-Control-Max-Age", "86400")
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusNoContent)
-			return
-		}
-		next.ServeHTTP(w, r)
-	})
+	"github.com/noderunners/nip05api/internal/config"
+)
+
+// CORS sends at most one Access-Control-Allow-Origin value (echo of request Origin).
+// Configure FRONTEND_URL, optional CORS_ORIGINS, and CORS_ALLOW_LOCALHOST / CORS_ALLOW_CREDENTIALS.
+func CORS(cfg *config.Config) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get("Origin")
+
+			if origin != "" && originAllowed(origin, cfg) {
+				h := w.Header()
+				h.Set("Access-Control-Allow-Origin", origin)
+				h.Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+				h.Set("Access-Control-Allow-Headers", "Content-Type, X-API-Key, Authorization")
+				h.Set("Access-Control-Max-Age", "86400")
+				if cfg.CORSAllowCredentials {
+					h.Set("Access-Control-Allow-Credentials", "true")
+				}
+			}
+
+			if r.Method == http.MethodOptions {
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+func originAllowed(origin string, cfg *config.Config) bool {
+	if origin == "" {
+		return false
+	}
+
+	u, err := url.Parse(origin)
+	if err != nil || u.Scheme == "" || u.Host == "" {
+		return false
+	}
+
+	for _, allowed := range cfg.CORSExactOrigins() {
+		if origin == allowed {
+			return true
+		}
+	}
+
+	if cfg.CORSAllowLocalhost && isLoopbackOrigin(u) {
+		return true
+	}
+
+	return false
+}
+
+func isLoopbackOrigin(u *url.URL) bool {
+	host := strings.TrimSuffix(strings.ToLower(u.Hostname()), ".")
+	switch host {
+	case "localhost", "127.0.0.1", "::1":
+		return true
+	default:
+		return false
+	}
 }
--- a/internal/http/middleware/ratelimit.go
+++ b/internal/http/middleware/ratelimit.go
@@ -10,6 +10,8 @@ import (

 // RateLimit returns a middleware that limits requests per minute by IP.
 // Admin routes are skipped.
+// GET /v1/invoices/{hash} is skipped: the SPA polls invoice status ~30/min while
+// the default global limit is 30/min, which starves pricing and user lookups on the same IP.
 func RateLimit(perMin int) func(http.Handler) http.Handler {
 	if perMin <= 0 {
 		return func(next http.Handler) http.Handler { return next }
@@ -21,6 +23,10 @@ func RateLimit(perMin int) func(http.Handler) http.Handler {
 				next.ServeHTTP(w, r)
 				return
 			}
+			if r.Method == http.MethodGet && strings.HasPrefix(r.URL.Path, "/v1/invoices/") {
+				next.ServeHTTP(w, r)
+				return
+			}
 			limiter(next).ServeHTTP(w, r)
 		})
 	}
--- a/internal/http/server.go
+++ b/internal/http/server.go
@@ -34,7 +34,7 @@ func NewServer(d Deps) *http.Server {
 	r.Use(middleware.Recoverer)
 	r.Use(middleware.RealIP)
 	r.Use(middleware.Logging)
-	r.Use(middleware.CORS)
+	r.Use(middleware.CORS(d.Cfg))
 	r.Use(middleware.BodyLimit(1 << 20)) // 1 MiB max request body
 	r.Use(middleware.RateLimit(d.Cfg.RateLimitPerMin))