fix: fetch collators from parachains and restrict CORS to production domains

- NetworkStats now queries Asset Hub and People Chain for collator data instead of relay chain (where collatorSelection doesn't exist) - Restrict Edge Functions CORS to app.pezkuwichain.io domains only - Add Access-Control-Allow-Credentials header for secure cross-origin requests
2026-04-25 02:57:56 +00:00 · 2026-02-06 06:00:01 +03:00
parent bb61e50794
commit f4f50e7abf
4 changed files with 66 additions and 16 deletions
@@ -7,9 +7,20 @@ import { createClient } from 'npm:@supabase/supabase-js@2'
 import { ApiPromise, WsProvider, Keyring } from 'npm:@pezkuwi/api@16.5.11'
 import { cryptoWaitReady } from 'npm:@pezkuwi/util-crypto@14.0.11'

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+// Allowed origins for CORS
+const ALLOWED_ORIGINS = [
+  'https://app.pezkuwichain.io',
+  'https://www.pezkuwichain.io',
+  'https://pezkuwichain.io',
+]
+
+function getCorsHeaders(origin: string | null) {
+  const allowedOrigin = origin && ALLOWED_ORIGINS.includes(origin) ? origin : ALLOWED_ORIGINS[0]
+  return {
+    'Access-Control-Allow-Origin': allowedOrigin,
+    'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+    'Access-Control-Allow-Credentials': 'true',
+  }
 }

 // Platform hot wallet address
@@ -167,6 +178,8 @@ async function sendTokens(
 }

 serve(async (req) => {
+  const corsHeaders = getCorsHeaders(req.headers.get('Origin'))
+
  // Handle CORS preflight
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders })
@@ -177,10 +177,20 @@ async function processWithdrawal(
 * Main handler
 */
 serve(async (req: Request) => {
-  // CORS headers
+  // Allowed origins for CORS
+  const ALLOWED_ORIGINS = [
+    'https://app.pezkuwichain.io',
+    'https://www.pezkuwichain.io',
+    'https://pezkuwichain.io',
+  ]
+
+  const requestOrigin = req.headers.get('Origin')
+  const allowedOrigin = requestOrigin && ALLOWED_ORIGINS.includes(requestOrigin) ? requestOrigin : ALLOWED_ORIGINS[0]
+
  const headers = {
-    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Origin": allowedOrigin,
    "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
+    "Access-Control-Allow-Credentials": "true",
    "Content-Type": "application/json",
  };

@@ -6,9 +6,20 @@ import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'
 import { createClient } from 'npm:@supabase/supabase-js@2'
 import { ApiPromise, WsProvider } from 'npm:@pezkuwi/api@16.5.11'

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+// Allowed origins for CORS
+const ALLOWED_ORIGINS = [
+  'https://app.pezkuwichain.io',
+  'https://www.pezkuwichain.io',
+  'https://pezkuwichain.io',
+]
+
+function getCorsHeaders(origin: string | null) {
+  const allowedOrigin = origin && ALLOWED_ORIGINS.includes(origin) ? origin : ALLOWED_ORIGINS[0]
+  return {
+    'Access-Control-Allow-Origin': allowedOrigin,
+    'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+    'Access-Control-Allow-Credentials': 'true',
+  }
 }

 // Platform hot wallet address (PRODUCTION) - Treasury_3
@@ -213,6 +224,8 @@ async function verifyTransactionOnChain(
 }

 serve(async (req) => {
+  const corsHeaders = getCorsHeaders(req.headers.get('Origin'))
+
  // Handle CORS preflight
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders })