From 45d5507bf9394c0979e03093411dd23ac5ef7b7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Dere=C5=BEi=C4=87?= Date: Wed, 7 Jan 2026 12:47:07 +0100 Subject: [PATCH] refactor: delegate security to CloudFlare and clean up mailgun-webhook MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove application-level CORS and IP whitelisting as security is now handled at CloudFlare edge. CORS is not applicable for backend webhook service, and IP whitelisting is more effectively managed at infrastructure layer. Also translate Dockerfile comments to English and add registry URL to build script. šŸ¤– Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- mailgun-webhook/Dockerfile | 24 +++++++------------ mailgun-webhook/build-image.sh | 8 +++---- .../docs/MAILGUN_WEBHOOK_API_SPEC.md | 2 +- mailgun-webhook/src/types/environment.d.ts | 10 -------- 4 files changed, 13 insertions(+), 31 deletions(-) diff --git a/mailgun-webhook/Dockerfile b/mailgun-webhook/Dockerfile index 7543a81..79b0cb2 100644 --- a/mailgun-webhook/Dockerfile +++ b/mailgun-webhook/Dockerfile @@ -16,7 +16,7 @@ COPY ./src ./src RUN npm run build #-------------------------------------------- -# Stage: instaliram produkcijski node_modules +# Stage: installing production node_modules #-------------------------------------------- FROM node:20 AS package-stage @@ -24,11 +24,11 @@ WORKDIR /app COPY ./package*.json ./ -# instaliram SAMO produkcijske +# install ONLY production dependencies RUN npm i --omit=dev && npm cache clean --force #-------------------------------------------- -# Stage: priprema finalnog image-a +# Stage: preparing final image #-------------------------------------------- FROM gcr.io/distroless/nodejs:20 AS assembly-stage @@ -45,30 +45,22 @@ ENV PROMETHEUS_APP_LABEL=${PROMETHEUS_APP_LABEL}=${PROMETHEUS_APP_LABEL} ARG PROMETHEUS_HISTOGRAM_BUCKETS ENV PROMETHEUS_HISTOGRAM_BUCKETS=${PROMETHEUS_HISTOGRAM_BUCKETS}=${PROMETHEUS_HISTOGRAM_BUCKETS} -# CORS settings: kojim domenama dopuÅ”tam pristup slikama -ARG CORS_ALLOWED_ORIGINS -ENV CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS} - -# (optional) IP Address whitelist za metrics i prtg router -ARG METRICS_ALLOWED_IP_ADDRESSES -ENV METRICS_ALLOWED_IP_ADDRESSES=${METRICS_ALLOWED_IP_ADDRESSES} - -# (optional) uključuje logging u stdout +# (optional) enables logging to stdout ARG DEBUG ENV DEBUG=${DEBUG} -# kopiram node-modules +# copying node_modules COPY --from=package-stage /app/package*.json ./ COPY --from=package-stage /app/node_modules ./node_modules -# kopiram buildane datoteke +# copying built files COPY --from=build-stage /app/build ./server -# server vrtim pod ograničenim "nobody" korisnikom +# running the server under limited "nobody" user USER nobody:nobody HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \ CMD ["/nodejs/bin/node", "./server/healthcheck.js"] -# pokrećem server +# starting the server CMD ["./server/entry.js"] diff --git a/mailgun-webhook/build-image.sh b/mailgun-webhook/build-image.sh index 929802a..4401670 100755 --- a/mailgun-webhook/build-image.sh +++ b/mailgun-webhook/build-image.sh @@ -9,18 +9,18 @@ fi read -p "BUILD: Push new image to registry [y/n]? " -n 1 -r echo # (optional) move to a new line -PUSH_IMAGE_TO_REPO="$REPLY" +PUSH_IMAGE="$REPLY" printf "\nBUILD START ...\n\n" +REGISTRY_URL="registry.budakova.org" IMAGE_NAME=$(node -p "require('./package.json').name") IMAGE_VERSION=$1 -IMAGE_TAG=$IMAGE_NAME:$IMAGE_VERSION - +IMAGE_TAG=$REGISTRY_URL/$IMAGE_NAME:$IMAGE_VERSION docker build . -t $IMAGE_TAG -if [[ "$PUSH_IMAGE_TO_REPO" =~ ^[Yy]$ ]] +if [[ "$PUSH_IMAGE" =~ ^[Yy]$ ]] then printf "\nPushing image ...\n\n" docker push $IMAGE_TAG diff --git a/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md b/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md index 0bd30bc..38f602f 100644 --- a/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md +++ b/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md @@ -133,7 +133,7 @@ For **unsubscribed** events: ### Future Enhancements For production deployment, consider: - **Signature Verification**: Verify webhook authenticity using `timestamp`, `token`, and `signature` -- **IP Whitelisting**: Restrict to MailGun's IP ranges +- **IP Whitelisting**: Restrict to MailGun's IP ranges (implemented via CloudFlare) - **Rate Limiting**: Prevent abuse ## Database Integration diff --git a/mailgun-webhook/src/types/environment.d.ts b/mailgun-webhook/src/types/environment.d.ts index 6464acd..fb97f11 100644 --- a/mailgun-webhook/src/types/environment.d.ts +++ b/mailgun-webhook/src/types/environment.d.ts @@ -13,16 +13,6 @@ declare global { * @default "0.1, 0.5, 1, 5, 10" * */ PROMETHEUS_HISTOGRAM_BUCKETS?: string, - /** - * (optional) CORS settings: which domains are allowed to access resources - * @summary If parameter is not set, origin checking will be disabled - * */ - CORS_ALLOWED_ORIGINS?:string, - /** - * (optional) IP Address whitelist for prometheus metrics (if not set whitelisting will be disabled) - * @summary Although this param is optional, it is recommended for security reasons - * */ - METRICS_ALLOWED_IP_ADDRESSES?:string, } } }