fix: wip

packages/auth/server/index.ts

@@ -2,9 +2,11 @@ import { Hono } from 'hono';
 import { HTTPException } from 'hono/http-exception';
 import type { ContentfulStatusCode } from 'hono/utils/http-status';
 
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { extractRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
+import { setCsrfCookie } from './lib/session/session-cookies';
 import { emailPasswordRoute } from './routes/email-password';
 import { googleRoute } from './routes/google';
 import { passkeyRoute } from './routes/passkey';
@@ -16,8 +18,28 @@ import type { HonoAuthContext } from './types/context';
 export const auth = new Hono<HonoAuthContext>()
   .use(async (c, next) => {
     c.set('requestMetadata', extractRequestMetadata(c.req.raw));
+
+    // Todo: Maybe use auth URL.
+    const validOrigin = new URL(NEXT_PUBLIC_WEBAPP_URL()).origin;
+    const headerOrigin = c.req.header('Origin');
+
+    if (headerOrigin && headerOrigin !== validOrigin) {
+      return c.json(
+        {
+          message: 'Forbidden',
+          statusCode: 403,
+        },
+        403,
+      );
+    }
+
     await next();
   })
+  .get('/csrf', async (c) => {
+    const csrfToken = await setCsrfCookie(c);
+
+    return c.json({ csrfToken });
+  })
   .route('/', sessionRoute)
   .route('/', signOutRoute)
   .route('/email-password', emailPasswordRoute)