From 7fb05181e6faed8cdd2d0a61546b0275471ff429 Mon Sep 17 00:00:00 2001 From: Cosmo Date: Thu, 23 Apr 2026 13:41:57 +0000 Subject: [PATCH] fix(voice/tools): use x-voice-internal header for loopback fetches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tool endpoints (events, notes, transport, weather) call other /api/* routes via loopback (http://localhost:3000). Those routes are middleware-protected — cookie-less loopbacks were getting 401, which surfaced to the voice agent as get_today_events → tool_http_502. Add internal header bypass: middleware lets the request through when x-voice-internal matches VOICE_API_KEY. Only our own tool endpoints use this header, from inside the same container, so the blast radius is limited to loopback traffic. - middleware.ts: check x-voice-internal before cookie - lib/voice-tools.ts: internalHeaders() helper - app/api/voice/tools/{weather,transport,events,notes}: use it --- app/api/voice/tools/events/route.ts | 4 ++-- app/api/voice/tools/notes/route.ts | 4 ++-- app/api/voice/tools/transport/route.ts | 4 ++-- app/api/voice/tools/weather/route.ts | 4 ++-- lib/voice-tools.ts | 9 +++++++++ middleware.ts | 8 ++++++++ 6 files changed, 25 insertions(+), 8 deletions(-) diff --git a/app/api/voice/tools/events/route.ts b/app/api/voice/tools/events/route.ts index a511d27..98fd46e 100644 --- a/app/api/voice/tools/events/route.ts +++ b/app/api/voice/tools/events/route.ts @@ -2,7 +2,7 @@ export const dynamic = 'force-dynamic' export const runtime = 'nodejs' import { NextResponse } from 'next/server' -import { isBearerAuthorized, unauthorized } from '@/lib/voice-tools' +import { isBearerAuthorized, unauthorized, internalHeaders } from '@/lib/voice-tools' export async function GET(req: Request) { if (!isBearerAuthorized(req)) return unauthorized() @@ -13,7 +13,7 @@ export async function GET(req: Request) { const baseUrl = `http://localhost:${process.env.PORT || '3000'}` const r = await fetch(`${baseUrl}/api/calendar?range=${encodeURIComponent(range)}`, { cache: 'no-store', - headers: { cookie: '' }, + headers: internalHeaders(), }).catch(() => null) if (!r || !r.ok) return NextResponse.json({ events: [], error: 'unreachable' }, { status: 502 }) diff --git a/app/api/voice/tools/notes/route.ts b/app/api/voice/tools/notes/route.ts index 4533364..2e14d79 100644 --- a/app/api/voice/tools/notes/route.ts +++ b/app/api/voice/tools/notes/route.ts @@ -2,7 +2,7 @@ export const dynamic = 'force-dynamic' export const runtime = 'nodejs' import { NextResponse } from 'next/server' -import { isBearerAuthorized, unauthorized } from '@/lib/voice-tools' +import { isBearerAuthorized, unauthorized, internalHeaders } from '@/lib/voice-tools' export async function GET(req: Request) { if (!isBearerAuthorized(req)) return unauthorized() @@ -10,7 +10,7 @@ export async function GET(req: Request) { const baseUrl = `http://localhost:${process.env.PORT || '3000'}` const r = await fetch(`${baseUrl}/api/notes`, { cache: 'no-store', - headers: { cookie: '' }, + headers: internalHeaders(), }).catch(() => null) if (!r || !r.ok) return NextResponse.json({ notes: [] }, { status: 502 }) diff --git a/app/api/voice/tools/transport/route.ts b/app/api/voice/tools/transport/route.ts index 8e71957..3d74e66 100644 --- a/app/api/voice/tools/transport/route.ts +++ b/app/api/voice/tools/transport/route.ts @@ -2,7 +2,7 @@ export const dynamic = 'force-dynamic' export const runtime = 'nodejs' import { NextResponse } from 'next/server' -import { isBearerAuthorized, unauthorized } from '@/lib/voice-tools' +import { isBearerAuthorized, unauthorized, internalHeaders } from '@/lib/voice-tools' // Hardcoded for now — same as TransportWidget. Future: read from /data/tablet-config.json. const STOPS: Record = { @@ -32,7 +32,7 @@ export async function GET(req: Request) { dirsToQuery.map(async (d) => { const r = await fetch(`${baseUrl}/api/transport?stopId=${d.id}`, { cache: 'no-store', - headers: { cookie: '' }, + headers: internalHeaders(), }).catch(() => null) if (!r || !r.ok) return { direction: d.direction, stop_id: d.id, arrivals: [] } const j = await r.json() diff --git a/app/api/voice/tools/weather/route.ts b/app/api/voice/tools/weather/route.ts index ebec493..d57dd92 100644 --- a/app/api/voice/tools/weather/route.ts +++ b/app/api/voice/tools/weather/route.ts @@ -2,7 +2,7 @@ export const dynamic = 'force-dynamic' export const runtime = 'nodejs' import { NextResponse } from 'next/server' -import { isBearerAuthorized, unauthorized } from '@/lib/voice-tools' +import { isBearerAuthorized, unauthorized, internalHeaders } from '@/lib/voice-tools' const CITIES: Record = { spb: { name: 'Санкт-Петербург', lat: '59.9343', lon: '30.3351' }, @@ -40,7 +40,7 @@ export async function GET(req: Request) { const baseUrl = `http://localhost:${process.env.PORT || '3000'}` const r = await fetch(`${baseUrl}/api/weather?lat=${city.lat}&lon=${city.lon}`, { cache: 'no-store', - headers: { cookie: '' }, // bypass middleware (we're public internally) + headers: internalHeaders(), // bypass middleware (we're public internally) }).catch(() => null) // Fallback: hit Open-Meteo directly if our own endpoint didn't respond diff --git a/lib/voice-tools.ts b/lib/voice-tools.ts index c6fa492..a0a98d3 100644 --- a/lib/voice-tools.ts +++ b/lib/voice-tools.ts @@ -17,3 +17,12 @@ export function unauthorized() { headers: { 'Content-Type': 'application/json' }, }) } + +/** + * Headers для loopback-вызовов к другим /api/* роутам из tool endpoints. + * Middleware пропускает запросы с этим header'ом (см. middleware.ts). + */ +export function internalHeaders(): HeadersInit { + const key = process.env.VOICE_API_KEY || '' + return { 'x-voice-internal': key } +} diff --git a/middleware.ts b/middleware.ts index 3844a96..e67908a 100644 --- a/middleware.ts +++ b/middleware.ts @@ -14,6 +14,14 @@ export async function middleware(request: NextRequest) { return NextResponse.next() } + // Internal loopback bypass: tool endpoints shell out to other API routes. + // They pass x-voice-internal with the same VOICE_API_KEY — safe because + // only processes on the same host (the tablet container itself) know the key. + const internal = request.headers.get('x-voice-internal') + if (internal && internal === process.env.VOICE_API_KEY) { + return NextResponse.next() + } + // Check auth by forwarding to auth check const token = request.cookies.get('auth_token')?.value if (!token) {