mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-05-13 18:46:21 +02:00
a9224254a5
- Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist
55 lines
1.7 KiB
JavaScript
55 lines
1.7 KiB
JavaScript
export const config = { runtime: 'edge' };
|
|
|
|
import { getCorsHeaders, isDisallowedOrigin } from './_cors.js';
|
|
|
|
const SYMBOL_PATTERN = /^[A-Za-z0-9.^=\-]+$/;
|
|
const MAX_SYMBOL_LENGTH = 20;
|
|
|
|
function validateSymbol(symbol) {
|
|
if (!symbol) return null;
|
|
const trimmed = symbol.trim().toUpperCase();
|
|
if (trimmed.length > MAX_SYMBOL_LENGTH) return null;
|
|
if (!SYMBOL_PATTERN.test(trimmed)) return null;
|
|
return trimmed;
|
|
}
|
|
|
|
export default async function handler(req) {
|
|
const cors = getCorsHeaders(req);
|
|
if (isDisallowedOrigin(req)) {
|
|
return new Response(JSON.stringify({ error: 'Origin not allowed' }), { status: 403, headers: cors });
|
|
}
|
|
const url = new URL(req.url);
|
|
const symbol = validateSymbol(url.searchParams.get('symbol'));
|
|
|
|
if (!symbol) {
|
|
return new Response(JSON.stringify({ error: 'Invalid or missing symbol parameter' }), {
|
|
status: 400,
|
|
headers: { 'Content-Type': 'application/json', ...cors },
|
|
});
|
|
}
|
|
|
|
try {
|
|
const yahooUrl = `https://query1.finance.yahoo.com/v8/finance/chart/${encodeURIComponent(symbol)}`;
|
|
const response = await fetch(yahooUrl, {
|
|
headers: {
|
|
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
|
|
},
|
|
});
|
|
|
|
const data = await response.text();
|
|
return new Response(data, {
|
|
status: response.status,
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
...cors,
|
|
'Cache-Control': 'public, max-age=60, s-maxage=60, stale-while-revalidate=30',
|
|
},
|
|
});
|
|
} catch (error) {
|
|
return new Response(JSON.stringify({ error: 'Failed to fetch data' }), {
|
|
status: 500,
|
|
headers: { 'Content-Type': 'application/json', ...cors },
|
|
});
|
|
}
|
|
}
|