refactor: delegate security to CloudFlare and clean up mailgun-webhook

Remove application-level CORS and IP whitelisting as security is now handled at CloudFlare edge. CORS is not applicable for backend webhook service, and IP whitelisting is more effectively managed at infrastructure layer. Also translate Dockerfile comments to English and add registry URL to build script. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-07 12:47:07 +01:00
parent d081386b9f
commit 45d5507bf9
4 changed files with 13 additions and 31 deletions
--- a/mailgun-webhook/Dockerfile
+++ b/mailgun-webhook/Dockerfile
@@ -16,7 +16,7 @@ COPY ./src ./src
 RUN npm run build

 #--------------------------------------------
-# Stage: instaliram produkcijski node_modules
+# Stage: installing production node_modules
 #--------------------------------------------
 FROM node:20 AS package-stage

@@ -24,11 +24,11 @@ WORKDIR /app

 COPY ./package*.json ./

-# instaliram SAMO produkcijske
+# install ONLY production dependencies
 RUN npm i --omit=dev && npm cache clean --force

 #--------------------------------------------
-# Stage: priprema finalnog image-a
+# Stage: preparing final image
 #--------------------------------------------
 FROM gcr.io/distroless/nodejs:20 AS assembly-stage

@@ -45,30 +45,22 @@ ENV PROMETHEUS_APP_LABEL=${PROMETHEUS_APP_LABEL}=${PROMETHEUS_APP_LABEL}
 ARG PROMETHEUS_HISTOGRAM_BUCKETS
 ENV PROMETHEUS_HISTOGRAM_BUCKETS=${PROMETHEUS_HISTOGRAM_BUCKETS}=${PROMETHEUS_HISTOGRAM_BUCKETS}

-# CORS settings: kojim domenama dopuštam pristup slikama
-ARG CORS_ALLOWED_ORIGINS
-ENV CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS}
-
-# (optional) IP Address whitelist za metrics i prtg router
-ARG METRICS_ALLOWED_IP_ADDRESSES
-ENV METRICS_ALLOWED_IP_ADDRESSES=${METRICS_ALLOWED_IP_ADDRESSES}
-
-# (optional) uključuje logging u stdout
+# (optional) enables logging to stdout
 ARG DEBUG
 ENV DEBUG=${DEBUG}

-# kopiram node-modules
+# copying node_modules
 COPY  --from=package-stage /app/package*.json ./
 COPY  --from=package-stage /app/node_modules ./node_modules

-# kopiram buildane datoteke
+# copying built files
 COPY  --from=build-stage /app/build ./server

-# server vrtim pod ograničenim "nobody" korisnikom
+# running the server under limited "nobody" user
 USER nobody:nobody

 HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \
   CMD ["/nodejs/bin/node", "./server/healthcheck.js"]

-# pokrećem server
+# starting the server
 CMD ["./server/entry.js"]
--- a/mailgun-webhook/build-image.sh
+++ b/mailgun-webhook/build-image.sh
@@ -9,18 +9,18 @@ fi
 read -p "BUILD: Push new image to registry [y/n]? " -n 1 -r
 echo    # (optional) move to a new line

-PUSH_IMAGE_TO_REPO="$REPLY"
+PUSH_IMAGE="$REPLY"

 printf "\nBUILD START ...\n\n"

+REGISTRY_URL="registry.budakova.org"
 IMAGE_NAME=$(node -p "require('./package.json').name")
 IMAGE_VERSION=$1

-IMAGE_TAG=$IMAGE_NAME:$IMAGE_VERSION
-
+IMAGE_TAG=$REGISTRY_URL/$IMAGE_NAME:$IMAGE_VERSION
 docker build . -t $IMAGE_TAG

-if [[ "$PUSH_IMAGE_TO_REPO" =~ ^[Yy]$ ]]
+if [[ "$PUSH_IMAGE" =~ ^[Yy]$ ]]
 then
    printf "\nPushing image ...\n\n"
    docker push $IMAGE_TAG
--- a/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md
+++ b/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md
@@ -133,7 +133,7 @@ For **unsubscribed** events:
 ### Future Enhancements
 For production deployment, consider:
 - **Signature Verification**: Verify webhook authenticity using `timestamp`, `token`, and `signature`
- **IP Whitelisting**: Restrict to MailGun's IP ranges
+- **IP Whitelisting**: Restrict to MailGun's IP ranges (implemented via CloudFlare)
 - **Rate Limiting**: Prevent abuse

 ## Database Integration
--- a/mailgun-webhook/src/types/environment.d.ts
+++ b/mailgun-webhook/src/types/environment.d.ts
@@ -13,16 +13,6 @@ declare global {
             * @default "0.1, 0.5, 1, 5, 10"
             * */
            PROMETHEUS_HISTOGRAM_BUCKETS?: string,
-            /**
-             * (optional) CORS settings: which domains are allowed to access resources
-             * @summary If parameter is not set, origin checking will be disabled
-             * */
-            CORS_ALLOWED_ORIGINS?:string,
-            /**
-             * (optional) IP Address whitelist for prometheus metrics (if not set whitelisting will be disabled)
-             * @summary Although this param is optional, it is recommended for security reasons
-             * */
-            METRICS_ALLOWED_IP_ADDRESSES?:string,
        }
    }
 }