fix(voice/tools): use x-voice-internal header for loopback fetches
All checks were successful
Deploy / deploy (push) Successful in 3m10s
All checks were successful
Deploy / deploy (push) Successful in 3m10s
Tool endpoints (events, notes, transport, weather) call other /api/* routes via loopback (http://localhost:3000). Those routes are middleware-protected — cookie-less loopbacks were getting 401, which surfaced to the voice agent as get_today_events → tool_http_502. Add internal header bypass: middleware lets the request through when x-voice-internal matches VOICE_API_KEY. Only our own tool endpoints use this header, from inside the same container, so the blast radius is limited to loopback traffic. - middleware.ts: check x-voice-internal before cookie - lib/voice-tools.ts: internalHeaders() helper - app/api/voice/tools/{weather,transport,events,notes}: use it
This commit is contained in:
Cosmo
@@ -2,7 +2,7 @@ export const dynamic = 'force-dynamic'
|
||||
export const runtime = 'nodejs'
|
||||
|
||||
import { NextResponse } from 'next/server'
|
||||
import { isBearerAuthorized, unauthorized } from '@/lib/voice-tools'
|
||||
import { isBearerAuthorized, unauthorized, internalHeaders } from '@/lib/voice-tools'
|
||||
|
||||
const CITIES: Record<string, { name: string; lat: string; lon: string }> = {
|
||||
spb: { name: 'Санкт-Петербург', lat: '59.9343', lon: '30.3351' },
|
||||
@@ -40,7 +40,7 @@ export async function GET(req: Request) {
|
||||
const baseUrl = `http://localhost:${process.env.PORT || '3000'}`
|
||||
const r = await fetch(`${baseUrl}/api/weather?lat=${city.lat}&lon=${city.lon}`, {
|
||||
cache: 'no-store',
|
||||
headers: { cookie: '' }, // bypass middleware (we're public internally)
|
||||
headers: internalHeaders(), // bypass middleware (we're public internally)
|
||||
}).catch(() => null)
|
||||
|
||||
// Fallback: hit Open-Meteo directly if our own endpoint didn't respond
|
||||
|
||||
Reference in New Issue
Block a user