knee-cola/evidencija-rezija
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: delegate security to CloudFlare and clean up mailgun-webhook

Browse Source 
Remove application-level CORS and IP whitelisting as security is now handled at CloudFlare edge. CORS is not applicable for backend webhook service, and IP whitelisting is more effectively managed at infrastructure layer. Also translate Dockerfile comments to English and add registry URL to build script.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Nikola Derežić
2026-01-07 12:47:07 +01:00
parent d081386b9f
commit 45d5507bf9
4 changed files with 13 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
mailgun-webhook/Dockerfile
View File

@@ -16,7 +16,7 @@ COPY ./src ./src
RUN npm run build RUN npm run build
#-------------------------------------------- #--------------------------------------------
# Stage: instaliram produkcijski node_modules # Stage: installing production node_modules
#-------------------------------------------- #--------------------------------------------
FROM node:20 AS package-stage FROM node:20 AS package-stage
@@ -24,11 +24,11 @@ WORKDIR /app
COPY ./package*.json ./ COPY ./package*.json ./
# instaliram SAMO produkcijske # install ONLY production dependencies
RUN npm i --omit=dev && npm cache clean --force RUN npm i --omit=dev && npm cache clean --force
#-------------------------------------------- #--------------------------------------------
# Stage: priprema finalnog image-a # Stage: preparing final image
#-------------------------------------------- #--------------------------------------------
FROM gcr.io/distroless/nodejs:20 AS assembly-stage FROM gcr.io/distroless/nodejs:20 AS assembly-stage
@@ -45,30 +45,22 @@ ENV PROMETHEUS_APP_LABEL=${PROMETHEUS_APP_LABEL}=${PROMETHEUS_APP_LABEL}
ARG PROMETHEUS_HISTOGRAM_BUCKETS ARG PROMETHEUS_HISTOGRAM_BUCKETS
ENV PROMETHEUS_HISTOGRAM_BUCKETS=${PROMETHEUS_HISTOGRAM_BUCKETS}=${PROMETHEUS_HISTOGRAM_BUCKETS} ENV PROMETHEUS_HISTOGRAM_BUCKETS=${PROMETHEUS_HISTOGRAM_BUCKETS}=${PROMETHEUS_HISTOGRAM_BUCKETS}
# CORS settings: kojim domenama dopuštam pristup slikama # (optional) enables logging to stdout
ARG CORS_ALLOWED_ORIGINS
ENV CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS}
# (optional) IP Address whitelist za metrics i prtg router
ARG METRICS_ALLOWED_IP_ADDRESSES
ENV METRICS_ALLOWED_IP_ADDRESSES=${METRICS_ALLOWED_IP_ADDRESSES}
# (optional) uključuje logging u stdout
ARG DEBUG ARG DEBUG
ENV DEBUG=${DEBUG} ENV DEBUG=${DEBUG}
# kopiram node-modules # copying node_modules
COPY --from=package-stage /app/package*.json ./ COPY --from=package-stage /app/package*.json ./
COPY --from=package-stage /app/node_modules ./node_modules COPY --from=package-stage /app/node_modules ./node_modules
# kopiram buildane datoteke # copying built files
COPY --from=build-stage /app/build ./server COPY --from=build-stage /app/build ./server
# server vrtim pod ograničenim "nobody" korisnikom # running the server under limited "nobody" user
USER nobody:nobody USER nobody:nobody
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \ HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \
CMD ["/nodejs/bin/node", "./server/healthcheck.js"] CMD ["/nodejs/bin/node", "./server/healthcheck.js"]
# pokrećem server # starting the server
CMD ["./server/entry.js"] CMD ["./server/entry.js"]

8
mailgun-webhook/build-image.sh
View File

@@ -9,18 +9,18 @@ fi
read -p "BUILD: Push new image to registry [y/n]? " -n 1 -r read -p "BUILD: Push new image to registry [y/n]? " -n 1 -r
echo # (optional) move to a new line echo # (optional) move to a new line
PUSH_IMAGE_TO_REPO="$REPLY" PUSH_IMAGE="$REPLY"
printf "\nBUILD START ...\n\n" printf "\nBUILD START ...\n\n"
REGISTRY_URL="registry.budakova.org"
IMAGE_NAME=$(node -p "require('./package.json').name") IMAGE_NAME=$(node -p "require('./package.json').name")
IMAGE_VERSION=$1 IMAGE_VERSION=$1
IMAGE_TAG=$IMAGE_NAME:$IMAGE_VERSION IMAGE_TAG=$REGISTRY_URL/$IMAGE_NAME:$IMAGE_VERSION
docker build . -t $IMAGE_TAG docker build . -t $IMAGE_TAG
if [[ "$PUSH_IMAGE_TO_REPO" =~ ^[Yy]$ ]] if [[ "$PUSH_IMAGE" =~ ^[Yy]$ ]]
then then
printf "\nPushing image ...\n\n" printf "\nPushing image ...\n\n"
docker push $IMAGE_TAG docker push $IMAGE_TAG

2
mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md
View File

@@ -133,7 +133,7 @@ For **unsubscribed** events:
### Future Enhancements ### Future Enhancements
For production deployment, consider: For production deployment, consider:
- **Signature Verification**: Verify webhook authenticity using `timestamp`, `token`, and `signature` - **Signature Verification**: Verify webhook authenticity using `timestamp`, `token`, and `signature`
- **IP Whitelisting**: Restrict to MailGun's IP ranges - **IP Whitelisting**: Restrict to MailGun's IP ranges (implemented via CloudFlare)
- **Rate Limiting**: Prevent abuse - **Rate Limiting**: Prevent abuse
## Database Integration ## Database Integration

10
mailgun-webhook/src/types/environment.d.ts vendored
View File

@@ -13,16 +13,6 @@ declare global {
* @default "0.1, 0.5, 1, 5, 10" * @default "0.1, 0.5, 1, 5, 10"
* */ * */
PROMETHEUS_HISTOGRAM_BUCKETS?: string, PROMETHEUS_HISTOGRAM_BUCKETS?: string,
/**
* (optional) CORS settings: which domains are allowed to access resources
* @summary If parameter is not set, origin checking will be disabled
* */
CORS_ALLOWED_ORIGINS?:string,
/**
* (optional) IP Address whitelist for prometheus metrics (if not set whitelisting will be disabled)
* @summary Although this param is optional, it is recommended for security reasons
* */
METRICS_ALLOWED_IP_ADDRESSES?:string,
} }
} }
} }