From df42d433c92b2991627a1cb34a26c68ca134e998 Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Sun, 24 Nov 2024 16:14:58 -0500
Subject: [PATCH] ops: don't allow no origin

---
 src/backend/src/services/WebServerService.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/backend/src/services/WebServerService.js b/src/backend/src/services/WebServerService.js
index f41d161c..980fcadb 100644
--- a/src/backend/src/services/WebServerService.js
+++ b/src/backend/src/services/WebServerService.js
@@ -359,6 +359,12 @@ class WebServerService extends BaseService {
                     req.connection?.remoteAddress,
             };
             await svc_event.emit('ip.validate', event);
+
+            // check if no origin
+            if ( req.method === 'POST' && req.headers.origin === undefined ) {
+                event.allow = false;
+            }
+
             if ( ! event.allow ) {
                 return res.status(403).send('Forbidden');
             }