fix(voice/tools): use x-voice-internal header for loopback fetches
All checks were successful
Deploy / deploy (push) Successful in 3m10s
All checks were successful
Deploy / deploy (push) Successful in 3m10s
Tool endpoints (events, notes, transport, weather) call other /api/* routes via loopback (http://localhost:3000). Those routes are middleware-protected — cookie-less loopbacks were getting 401, which surfaced to the voice agent as get_today_events → tool_http_502. Add internal header bypass: middleware lets the request through when x-voice-internal matches VOICE_API_KEY. Only our own tool endpoints use this header, from inside the same container, so the blast radius is limited to loopback traffic. - middleware.ts: check x-voice-internal before cookie - lib/voice-tools.ts: internalHeaders() helper - app/api/voice/tools/{weather,transport,events,notes}: use it
This commit is contained in:
Cosmo
@@ -14,6 +14,14 @@ export async function middleware(request: NextRequest) {
|
||||
return NextResponse.next()
|
||||
}
|
||||
|
||||
// Internal loopback bypass: tool endpoints shell out to other API routes.
|
||||
// They pass x-voice-internal with the same VOICE_API_KEY — safe because
|
||||
// only processes on the same host (the tablet container itself) know the key.
|
||||
const internal = request.headers.get('x-voice-internal')
|
||||
if (internal && internal === process.env.VOICE_API_KEY) {
|
||||
return NextResponse.next()
|
||||
}
|
||||
|
||||
// Check auth by forwarding to auth check
|
||||
const token = request.cookies.get('auth_token')?.value
|
||||
if (!token) {
|
||||
|
||||
Reference in New Issue
Block a user