Allow self-hosted origins in API verification

Fix install.sh: correct GitHub repo name in compose URL
Point source links to GitHub repo
2026-03-27 09:44:11 +01:00 · 2026-03-27 09:32:34 +01:00 · 2026-03-27 09:11:29 +01:00 · 2026-03-27 09:09:38 +01:00
7 changed files with 17 additions and 9 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -7,10 +7,12 @@ on:

 env:
  IMAGE_NAME: xmrpay
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

 jobs:
  build:
    runs-on: ubuntu-latest
+    environment: DOCKER
    permissions:
      contents: read
      packages: write
--- a/README.md
+++ b/README.md
@@ -145,7 +145,7 @@ xmrpay.link/
 ## Self-Hosting

 ```bash
-git clone https://gitea.schmidt.eco/schmidt1024/xmrpay.link.git
+git clone https://github.com/schmidt1024/xmrpay.git
 cd xmrpay.link
 # Serve with any web server that supports PHP
 # No build tools, no npm, no database required
--- a/api/_helpers.php
+++ b/api/_helpers.php
@@ -14,13 +14,19 @@ function send_security_headers(): void {

 // ── Origin verification ───────────────────────────────────────────────────────
 function verify_origin(): void {
-    $allowed = [
-        'https://xmrpay.link',
-        'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
-    ];
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
    // Allow same-origin (no Origin header from direct same-origin requests)
    if ($origin === '') return;
+
+    // Dynamically allow the host this instance runs on
+    $scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
+    $self_origin = $scheme . '://' . ($_SERVER['HTTP_HOST'] ?? '');
+
+    $allowed = [
+        $self_origin,
+        'https://xmrpay.link',
+        'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
+    ];
    if (!in_array($origin, $allowed, true)) {
        http_response_code(403);
        echo json_encode(['error' => 'Origin not allowed']);
--- a/i18n.js
+++ b/i18n.js
@@ -13,7 +13,7 @@ var I18n = (function () {

  var VERSION = '1.0.0';

-  var footer = 'Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://gitea.schmidt.eco/schmidt1024/xmrpay.link" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v' + VERSION + '</span>';
+  var footer = 'Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://github.com/schmidt1024/xmrpay" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v' + VERSION + '</span>';

  var translations = {
    en: {
--- a/index.html
+++ b/index.html
@@ -115,7 +115,7 @@
  </main>

  <footer>
-    <p data-i18n-html="footer">Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://gitea.schmidt.eco/schmidt1024/xmrpay.link" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v1.0.0</span></p>
+    <p data-i18n-html="footer">Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://github.com/schmidt1024/xmrpay" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v1.0.0</span></p>
  </footer>

  <div class="lang-picker" id="langPicker">
--- a/install.sh
+++ b/install.sh
@@ -7,7 +7,7 @@ set -e
 DOMAIN="${1:-}"
 INSTALL_DIR="/opt/xmrpay"
 IMAGE="schmidt1024/xmrpay:latest"
-COMPOSE_URL="https://raw.githubusercontent.com/schmidt1024/xmrpay.link/master/docker-compose.yml"
+COMPOSE_URL="https://raw.githubusercontent.com/schmidt1024/xmrpay/master/docker-compose.yml"

 # ── Helpers ───────────────────────────────────────────────────────────────────

--- a/privacy.html
+++ b/privacy.html
@@ -198,7 +198,7 @@
  </main>

  <footer>
-    <p data-i18n-html="footer">Open Source &middot; No Tracking &middot; No KYC &middot; <a href="https://gitea.schmidt.eco/schmidt1024/xmrpay.link" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a></p>
+    <p data-i18n-html="footer">Open Source &middot; No Tracking &middot; No KYC &middot; <a href="https://github.com/schmidt1024/xmrpay" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a></p>
  </footer>

  <div class="lang-picker" id="langPicker">
Author	SHA1	Message	Date
Alexander Schmidt	ffd9327e3e	Allow self-hosted origins in API verification Some checks failed Build & Push Docker Image / build (push) Has been cancelled Details	2026-03-27 09:44:11 +01:00
Alexander Schmidt	40b81a5dc8	Fix install.sh: correct GitHub repo name in compose URL	2026-03-27 09:32:34 +01:00
Alexander Schmidt	dc5582aa04	Point source links to GitHub repo Some checks failed Build & Push Docker Image / build (push) Has been cancelled Details	2026-03-27 09:11:29 +01:00
Alexander Schmidt	643ced23e9	Fix GitHub Actions: add DOCKER environment, use Node.js 24	2026-03-27 09:09:38 +01:00