Allow self-hosted origins in API verification

Fix install.sh: correct GitHub repo name in compose URL
2026-03-27 09:44:11 +01:00 · 2026-03-27 09:32:34 +01:00
2 changed files with 11 additions and 5 deletions
--- a/api/_helpers.php
+++ b/api/_helpers.php
@@ -14,13 +14,19 @@ function send_security_headers(): void {

 // ── Origin verification ───────────────────────────────────────────────────────
 function verify_origin(): void {
-    $allowed = [
-        'https://xmrpay.link',
-        'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
-    ];
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
    // Allow same-origin (no Origin header from direct same-origin requests)
    if ($origin === '') return;
+
+    // Dynamically allow the host this instance runs on
+    $scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
+    $self_origin = $scheme . '://' . ($_SERVER['HTTP_HOST'] ?? '');
+
+    $allowed = [
+        $self_origin,
+        'https://xmrpay.link',
+        'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
+    ];
    if (!in_array($origin, $allowed, true)) {
        http_response_code(403);
        echo json_encode(['error' => 'Origin not allowed']);
--- a/install.sh
+++ b/install.sh
@@ -7,7 +7,7 @@ set -e
 DOMAIN="${1:-}"
 INSTALL_DIR="/opt/xmrpay"
 IMAGE="schmidt1024/xmrpay:latest"
-COMPOSE_URL="https://raw.githubusercontent.com/schmidt1024/xmrpay.link/master/docker-compose.yml"
+COMPOSE_URL="https://raw.githubusercontent.com/schmidt1024/xmrpay/master/docker-compose.yml"

 # ── Helpers ───────────────────────────────────────────────────────────────────
Author	SHA1	Message	Date
Alexander Schmidt	ffd9327e3e	Allow self-hosted origins in API verification Some checks failed Build & Push Docker Image / build (push) Has been cancelled Details	2026-03-27 09:44:11 +01:00
Alexander Schmidt	40b81a5dc8	Fix install.sh: correct GitHub repo name in compose URL	2026-03-27 09:32:34 +01:00