From 67b2fb78b79e5265c7bb7a3fa0c9cb579cd4fb12 Mon Sep 17 00:00:00 2001 From: Heidrich Digital Date: Wed, 17 Jun 2026 16:42:57 +0000 Subject: [PATCH] =?UTF-8?q?Fix=20(code-review):=20=C3=B6ffentliche=20Basis?= =?UTF-8?q?-URL=20aus=20X-Forwarded-*=20bzw.=20PUBLIC=5FBASE=5FURL=20statt?= =?UTF-8?q?=20request-origin=20(localhost=20hinter=20Proxy)=20=E2=80=94=20?= =?UTF-8?q?korrekte=20Return-/Webhook-/Erfolgs-URLs=20f=C3=BCr=20Mollie+De?= =?UTF-8?q?mo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/pages/api/checkout.js | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/pages/api/checkout.js b/src/pages/api/checkout.js index 2766405..586b35b 100644 --- a/src/pages/api/checkout.js +++ b/src/pages/api/checkout.js @@ -8,6 +8,16 @@ export const prerender = false; function json(obj, status = 200) { return new Response(JSON.stringify(obj), { status, headers: { 'Content-Type': 'application/json' } }); } +function publicBase(request) { + const env = (process.env.PUBLIC_BASE_URL || '').trim().replace(/\/$/, ''); + if (env) return env; + const proto = request.headers.get('x-forwarded-proto') || 'https'; + const host = request.headers.get('x-forwarded-host') || request.headers.get('host'); + if (host) return `${proto}://${host}`; + try { return new URL(request.url).origin; } catch { return ''; } +} + + export async function POST({ request }) { let body; try { body = await request.json(); } catch { return json({ error: 'Bad request' }, 400); } @@ -83,7 +93,7 @@ export async function POST({ request }) { redeemDiscount(discount.id, discount.code, email, order.id, discount.freeShipping ? 0 : discountCents); } - const origin = new URL(request.url).origin; + const origin = publicBase(request); const returnUrl = `${origin}/bestellung-erfolgreich?order=${order.number}`; const pay = await createPayment({ order, items: lineItems, lineItems, totalCents: total, shippingCents,