@commonpub/layer 0.82.0 → 0.83.0

package/server/api/events/[slug].get.ts

@@ -13,5 +13,14 @@ export default defineEventHandler(async (event) => {
   const result = await getEventBySlug(db, slug);
   if (!result) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
 
+  // Only published/active events are publicly viewable. Draft/cancelled/completed
+  // events are visible only to the creator or an admin (mirrors content/contest
+  // draft gating). 404 (not 403) so the slug's existence isn't leaked.
+  if (result.status !== 'published' && result.status !== 'active') {
+    const viewer = getOptionalUser(event);
+    const canView = !!viewer && (viewer.role === 'admin' || viewer.id === result.createdById);
+    if (!canView) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+  }
+
   return result;
 });

package/server/api/events/index.get.ts

@@ -23,9 +23,16 @@ export default defineEventHandler(async (event) => {
     userId = user.id;
   }
 
+  // hubId feeds a uuid SQL bind; reject a malformed value at the door (a
+  // non-uuid string reaching the bind throws an unhandled 500).
+  const hubId = (query.hubId as string) || undefined;
+  if (hubId && !isUuid(hubId)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid hubId' });
+  }
+
   return listEvents(db, {
     status,
-    hubId: (query.hubId as string) || undefined,
+    hubId,
     upcoming: query.upcoming === 'true',
     featured: query.featured === 'true',
     userId,

package/server/api/federated-hubs/[id]/posts/[postId]/replies.get.ts

@@ -2,7 +2,7 @@ import { listFederatedHubPostReplies } from '@commonpub/server';
 
 export default defineEventHandler(async (event) => {
   requireFeature('federation');
-  const postId = getRouterParam(event, 'postId')!;
+  const { postId } = parseParams(event, { id: 'uuid', postId: 'uuid' });
   const query = getQuery(event);
   const db = useDB();
 

package/server/api/federation/content/[id]/build.get.ts

@@ -0,0 +1,10 @@
+import { isFederatedBuildMarked } from '@commonpub/server';
+
+// Hydration counterpart to the federated build toggle — see content/[id]/build.get.ts.
+export default defineEventHandler(async (event): Promise<{ marked: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+  return { marked: await isFederatedBuildMarked(db, id, user.id) };
+});

package/server/api/hubs/[slug]/invites/[id].delete.ts

@@ -0,0 +1,17 @@
+import { revokeInvite, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ revoked: boolean }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, id } = parseParams(event, { slug: 'string', id: 'uuid' });
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  const revoked = await revokeInvite(db, id, user.id, hub.id);
+  if (!revoked) {
+    throw createError({ statusCode: 403, statusMessage: 'Not authorized to revoke invites' });
+  }
+  return { revoked };
+});

package/server/api/hubs/[slug]/invites.get.ts

@@ -1,4 +1,4 @@
-import { listInvites, getHubBySlug, getMember } from '@commonpub/server';
+import { listInvites, getHubBySlug, getMember, hasPermission } from '@commonpub/server';
 import type { HubInviteItem } from '@commonpub/server';
 
 export default defineEventHandler(async (event): Promise<HubInviteItem[]> => {
@@ -10,9 +10,11 @@ export default defineEventHandler(async (event): Promise<HubInviteItem[]> => {
     throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
   }
 
-  // Only moderators, admins, and owners can view invite lists
+  // Invite management is admin+ (matches createInvite/revokeInvite's manageMembers).
+  // Gating the list at the same level keeps moderators from seeing write controls
+  // they can't use.
   const member = await getMember(db, hub.id, user.id);
-  if (!member || !['moderator', 'admin', 'owner'].includes(member.role)) {
+  if (!member || !hasPermission(member.role, 'manageMembers')) {
     throw createError({ statusCode: 403, statusMessage: 'Insufficient permissions' });
   }
 

package/server/api/hubs/[slug]/posts/[postId]/poll-options.get.ts

@@ -7,8 +7,7 @@ import { getPollOptions, getUserPollVote } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('hubs');
   const db = useDB();
-  const postId = getRouterParam(event, 'postId');
-  if (!postId) throw createError({ statusCode: 400, statusMessage: 'Missing postId' });
+  const { postId } = parseParams(event, { postId: 'uuid' });
 
   const options = await getPollOptions(db, postId);
   const user = getOptionalUser(event);

package/server/api/hubs/[slug]/posts/[postId]/poll-vote.post.ts

@@ -13,8 +13,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('hubs');
   const user = requireAuth(event);
   const db = useDB();
-  const postId = getRouterParam(event, 'postId');
-  if (!postId) throw createError({ statusCode: 400, statusMessage: 'Missing postId' });
+  const { postId } = parseParams(event, { postId: 'uuid' });
 
   const body = await parseBody(event, pollVoteSchema);
   const result = await voteOnPoll(db, postId, body.optionId, user.id);

package/server/api/hubs/[slug]/posts/[postId]/vote.post.ts

@@ -13,8 +13,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('hubs');
   const user = requireAuth(event);
   const db = useDB();
-  const postId = getRouterParam(event, 'postId');
-  if (!postId) throw createError({ statusCode: 400, statusMessage: 'Missing postId' });
+  const { postId } = parseParams(event, { postId: 'uuid' });
 
   const body = await parseBody(event, voteSchema);
   return voteOnPost(db, postId, user.id, body.direction);

package/server/api/hubs/[slug]/requests/[userId]/approve.post.ts

@@ -0,0 +1,15 @@
+import { approveJoinRequest, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ approved: boolean; error?: string }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, userId } = parseParams(event, { slug: 'string', userId: 'uuid' });
+
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Permission (manageMembers) is enforced inside approveJoinRequest.
+  return approveJoinRequest(db, user.id, hub.id, userId);
+});

package/server/api/hubs/[slug]/requests/[userId]/deny.post.ts

@@ -0,0 +1,15 @@
+import { denyJoinRequest, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ denied: boolean; error?: string }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, userId } = parseParams(event, { slug: 'string', userId: 'uuid' });
+
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Permission (manageMembers) is enforced inside denyJoinRequest.
+  return denyJoinRequest(db, user.id, hub.id, userId);
+});

package/server/api/hubs/[slug]/requests.get.ts

@@ -0,0 +1,20 @@
+import { listJoinRequests, getHubBySlug, getMember } from '@commonpub/server';
+import type { HubMemberItem } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ items: HubMemberItem[]; total: number }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Reviewing join requests is a member-management action (admin/owner).
+  const member = await getMember(db, hub.id, user.id);
+  if (!member || !['admin', 'owner'].includes(member.role)) {
+    throw createError({ statusCode: 403, statusMessage: 'Insufficient permissions' });
+  }
+
+  return listJoinRequests(db, hub.id);
+});

package/server/api/hubs/[slug]/resources/[id].delete.ts

@@ -3,8 +3,7 @@ import { deleteHubResource } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   const db = useDB();
   const user = requireAuth(event);
-  const id = getRouterParam(event, 'id');
-  if (!id) throw createError({ statusCode: 400, statusMessage: 'Missing resource ID' });
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const result = await deleteHubResource(db, id, user.id);
   if (!result.success) {

package/server/api/hubs/[slug]/resources/[id].put.ts

@@ -4,8 +4,7 @@ import { updateHubResourceSchema } from '@commonpub/schema';
 export default defineEventHandler(async (event) => {
   const db = useDB();
   const user = requireAuth(event);
-  const id = getRouterParam(event, 'id');
-  if (!id) throw createError({ statusCode: 400, statusMessage: 'Missing resource ID' });
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const input = await parseBody(event, updateHubResourceSchema);
 

package/server/api/products/[id].delete.ts

@@ -1,11 +1,31 @@
 import { deleteProduct } from '@commonpub/server';
+import { products } from '@commonpub/schema';
+import { eq } from 'drizzle-orm';
 
 export default defineEventHandler(async (event): Promise<{ deleted: boolean }> => {
+  const user = requireAuth(event);
   const db = useDB();
-  requirePermission(event, 'content.moderate');
   const { id } = parseParams(event, { id: 'uuid' });
 
-  const deleted = await deleteProduct(db, id);
+  // Owner OR moderator may delete. Resolve the product's owner first.
+  const [product] = await db
+    .select({ createdById: products.createdById })
+    .from(products)
+    .where(eq(products.id, id))
+    .limit(1);
+
+  if (!product) {
+    throw createError({ statusCode: 404, statusMessage: 'Product not found' });
+  }
+
+  if (!ownerOrPermission(event, product.createdById, 'content.moderate')) {
+    throw createError({ statusCode: 403, statusMessage: 'Missing permission: content.moderate' });
+  }
+
+  // Pass userId for an owner-scoped data-layer delete; moderators (non-owners)
+  // are already gated above, so they delete unconditionally.
+  const isOwner = product.createdById === user.id;
+  const deleted = await deleteProduct(db, id, isOwner ? user.id : undefined);
 
   if (!deleted) {
     throw createError({ statusCode: 404, statusMessage: 'Product not found' });

package/server/api/registry/ping.post.ts

@@ -1,4 +1,4 @@
-import { recordRegistryPing, createRateLimitStore, getClientIp } from '@commonpub/server';
+import { recordRegistryPing, createRateLimitStore, getClientIp, recordActivitySeen } from '@commonpub/server';
 import { verifyInboxRequest, extractDomain } from '../../utils/inbox';
 
 /**
@@ -32,13 +32,27 @@ export default defineEventHandler(async (event) => {
   const preRl = await store.check(`registry:ping:ip:${getClientIp(event)}`, PRE_TIER);
   if (!preRl.allowed) reject429(preRl.resetAt);
 
-  const { actorUri } = await verifyInboxRequest(event, 'registry-ping');
+  const { actorUri, body } = await verifyInboxRequest(event, 'registry-ping');
   const domain = extractDomain(actorUri);
 
   // Per-verified-domain cap (the signer is now cryptographically known).
   const rl = await store.check(`registry:ping:${domain}`, PING_TIER);
   if (!rl.allowed) reject429(rl.resetAt);
 
-  const result = await recordRegistryPing(useDB(), domain, actorUri);
+  const db = useDB();
+
+  // Replay dedup: claim the verified activity id BEFORE recording the ping so a
+  // replayed, validly-signed ping can't re-trigger the NodeInfo pull. No id =
+  // process normally. Placed after verification so attacker-chosen ids can't be
+  // seeded.
+  const activityId = body.id;
+  if (typeof activityId === 'string' && activityId.length > 0) {
+    const first = await recordActivitySeen(db, activityId);
+    if (!first) {
+      return { status: 'ok' };
+    }
+  }
+
+  const result = await recordRegistryPing(db, domain, actorUri);
   return { status: result };
 });

package/server/api/search/index.get.ts

@@ -7,7 +7,7 @@ import { z } from 'zod';
 const searchQuerySchema = z.object({
   q: z.string().max(200).optional(),
   type: z.string().optional(),
-  sort: z.enum(['relevance', 'recent', 'popular']).optional(),
+  sort: z.enum(['relevance', 'recent', 'popular', 'likes']).optional(),
   difficulty: z.string().optional(),
   tags: z.string().optional(),
   author: z.string().optional(),
@@ -141,8 +141,10 @@ export default defineEventHandler(async (event): Promise<{ items: unknown[]; tot
       difficulty: params.difficulty as ContentFilters['difficulty'],
       tag: tagList[0],
       // Postgres has no relevance ranking (that's Meilisearch's job) — the old
-      // path also fell back to recency for 'relevance'.
-      sort: params.sort === 'popular' ? 'popular' : 'recent',
+      // path also fell back to recency for 'relevance'. 'popular'/'likes' pass
+      // through (listContent coerces them to recency when the merge federates,
+      // since federated rows carry no view/like counts — same as 'popular').
+      sort: params.sort === 'popular' || params.sort === 'likes' ? params.sort : 'recent',
       limit,
       offset,
     };

package/server/api/social/bookmark.get.ts

@@ -7,6 +7,7 @@ const checkSchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<{ bookmarked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const query = parseQueryParams(event, checkSchema);

package/server/api/social/bookmark.post.ts

@@ -7,6 +7,7 @@ const toggleBookmarkSchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<{ bookmarked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const input = await parseBody(event, toggleBookmarkSchema);

package/server/api/social/bookmarks.get.ts

@@ -8,6 +8,7 @@ const bookmarksQuerySchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<PaginatedResponse<BookmarkItem>> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const query = parseQueryParams(event, bookmarksQuerySchema);

package/server/api/social/comments/[id].delete.ts

@@ -1,6 +1,7 @@
 import { deleteComment } from '@commonpub/server';
 
 export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });

package/server/api/social/comments.get.ts

@@ -11,6 +11,7 @@ const commentsQuerySchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<CommentItem[]> => {
+  requireFeature('social');
   const db = useDB();
   const query = parseQueryParams(event, commentsQuerySchema);
 

package/server/api/social/comments.post.ts

@@ -6,6 +6,7 @@ import { createCommentSchema } from '@commonpub/schema';
 const FEDERABLE_COMMENT_TYPES = new Set(['project', 'article', 'blog', 'explainer']);
 
 export default defineEventHandler(async (event): Promise<CommentItem> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const config = useConfig();

package/server/api/social/like.get.ts

@@ -8,6 +8,7 @@ const likeQuerySchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<{ liked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const query = parseQueryParams(event, likeQuerySchema);

package/server/api/social/like.post.ts

@@ -11,6 +11,7 @@ const toggleLikeSchema = z.object({
 const FEDERABLE_LIKE_TYPES = new Set(['project', 'article', 'blog', 'explainer']);
 
 export default defineEventHandler(async (event): Promise<{ liked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const config = useConfig();

package/server/api/users/[username]/content.get.ts

@@ -1,21 +1,33 @@
 import { getUserByUsername, getUserContent } from '@commonpub/server';
-import type { PaginatedResponse, ContentListItem } from '@commonpub/server';
+import type { ContentListItem } from '@commonpub/server';
 import { contentTypeSchema } from '@commonpub/schema';
 import { z } from 'zod';
 
 const userContentQuerySchema = z.object({
   type: contentTypeSchema.optional(),
+  cursor: z.string().optional(),
+  limit: z.coerce.number().int().positive().max(100).optional(),
+  // `?drafts=true` requests the owner's unpublished work; honoured server-side
+  // only when the authenticated viewer IS the profile owner (never trusted as-is).
+  drafts: z.enum(['true', 'false']).optional(),
 });
 
-export default defineEventHandler(async (event): Promise<PaginatedResponse<ContentListItem>> => {
+export default defineEventHandler(async (event): Promise<{ items: ContentListItem[]; nextCursor: string | null }> => {
   const db = useDB();
   const { username } = parseParams(event, { username: 'string' });
   const query = parseQueryParams(event, userContentQuerySchema);
+  const viewer = getOptionalUser(event);
 
   const user = await getUserByUsername(db, username);
   if (!user) {
     throw createError({ statusCode: 404, statusMessage: 'User not found' });
   }
 
-  return getUserContent(db, user.id, query.type);
+  return getUserContent(db, user.id, {
+    type: query.type,
+    cursor: query.cursor,
+    limit: query.limit,
+    drafts: query.drafts === 'true',
+    viewerId: viewer?.id,
+  });
 });

package/server/api/users/[username]/follow.delete.ts

@@ -1,6 +1,7 @@
 import { getUserByUsername, unfollowUser } from '@commonpub/server';
 
 export default defineEventHandler(async (event): Promise<{ unfollowed: boolean }> => {
+  requireFeature('social');
   const db = useDB();
   const user = requireAuth(event);
   const { username } = parseParams(event, { username: 'string' });

package/server/api/users/[username]/follow.post.ts

@@ -1,6 +1,7 @@
 import { getUserByUsername, followUser } from '@commonpub/server';
 
 export default defineEventHandler(async (event): Promise<{ followed: boolean }> => {
+  requireFeature('social');
   const db = useDB();
   const user = requireAuth(event);
   const { username } = parseParams(event, { username: 'string' });

package/server/api/users/[username]/followers.get.ts

@@ -18,5 +18,6 @@ export default defineEventHandler(async (event): Promise<PaginatedResponse<Follo
     throw createError({ statusCode: 404, statusMessage: 'User not found' });
   }
 
-  return listFollowers(db, target.id, query);
+  // Pass the viewer so each row carries isFollowing for the VIEWER (not the owner).
+  return listFollowers(db, target.id, query, getOptionalUser(event)?.id);
 });

package/server/api/users/[username]/following.get.ts

@@ -18,5 +18,6 @@ export default defineEventHandler(async (event): Promise<PaginatedResponse<Follo
     throw createError({ statusCode: 404, statusMessage: 'User not found' });
   }
 
-  return listFollowing(db, target.id, query);
+  // Pass the viewer so each row carries isFollowing for the VIEWER (not the owner).
+  return listFollowing(db, target.id, query, getOptionalUser(event)?.id);
 });

package/server/middleware/content-ap.ts

@@ -53,6 +53,10 @@ export default defineEventHandler(async (event) => {
       typeFilter,
       eq(contentItems.slug, slug),
       eq(contentItems.status, 'published'),
+      // Only PUBLIC content is dereferenceable over ActivityPub. Without this,
+      // an unauthenticated Accept: application/activity+json request would return
+      // the full body of a members-only/private item (audit session 204 — P0).
+      eq(contentItems.visibility, 'public'),
       isNull(contentItems.deletedAt),
     ))
     .limit(1);
@@ -68,9 +72,10 @@ export default defineEventHandler(async (event) => {
       title: row.content.title,
       slug: row.content.slug,
       description: row.content.description,
-      content: typeof row.content.content === 'string'
-        ? row.content.content
-        : JSON.stringify(row.content.content),
+      // Pass blocks through as-is: contentToArticle renders BlockTuple[] to HTML.
+      // Pre-stringifying forced the string branch, shipping raw JSON as the AP
+      // `content` (remote instances showed JSON instead of rendered HTML). (session 204)
+      content: row.content.content,
       coverImageUrl: row.content.coverImageUrl,
       publishedAt: row.content.publishedAt,
       updatedAt: row.content.updatedAt,

package/server/middleware/csrf.ts

@@ -0,0 +1,93 @@
+// CSRF defense for cookie-authenticated custom `/api/*` routes (audit session 204).
+//
+// The custom Nitro `/api/*` routes authenticate the browser via the Better Auth
+// SESSION COOKIE (resolved in middleware/auth.ts). Cookies are sent automatically
+// on cross-site requests, so without an Origin check a malicious page could drive
+// a logged-in user's browser to issue state-changing POST/PUT/PATCH/DELETE calls
+// (classic CSRF).
+//
+// This middleware runs ahead of the route handler (Nitro runs middleware
+// alphabetically — `csrf.ts` sorts before `features.ts`, `public-api-auth.ts`,
+// `security.ts`, `theme.ts`; after `auth.ts`, `content-*`. It does NOT depend on
+// auth's resolved session — it makes its own decision purely from the presence of
+// the session cookie + the Origin/Referer header, so ordering relative to auth.ts
+// is irrelevant) and rejects any unsafe-method `/api/*` request that:
+//   1. carries a Better Auth session cookie (i.e. is cookie-authenticated), AND
+//   2. whose Origin (or, lacking that, Referer) host does NOT match the request host.
+//
+// Requests with NO session cookie pass through untouched: bearer-token public-API
+// callers (`/api/public/*`), AP inbox (`/`-level, HTTP-signature auth), and plain
+// unauthenticated requests are not cookie-CSRF-able.
+//
+// Exemptions:
+//   - `/api/auth/*`  — Better Auth enforces its own CSRF via trustedOrigins.
+//   - `/api/public/*` — bearer-token auth, no cookie reliance.
+//
+// Why legit usage is unaffected: a same-origin browser fetch/XHR always sends an
+// `Origin` header whose host equals the page host (and the API host, same origin),
+// so the host comparison passes. Cross-site attacker requests send the attacker's
+// Origin (or, for top-level form posts, a Referer from the attacker's page), which
+// won't match — and even Origin-less navigations carrying the cookie are blocked.
+import { getBetterAuthSessionCookieName } from '../utils/betterAuthCookie';
+
+const UNSAFE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+
+/** Extract the host (host:port) from an absolute URL string; null if unparseable. */
+function hostOf(value: string | undefined): string | null {
+  if (!value) return null;
+  try {
+    return new URL(value).host;
+  } catch {
+    return null;
+  }
+}
+
+export default defineEventHandler((event) => {
+  const method = event.method.toUpperCase();
+  if (!UNSAFE_METHODS.has(method)) return;
+
+  const url = getRequestURL(event);
+  const pathname = url.pathname;
+
+  // Only guard custom cookie-auth API routes.
+  if (!pathname.startsWith('/api/')) return;
+  // Better Auth owns its own CSRF; bearer-token public API doesn't use the cookie.
+  if (pathname.startsWith('/api/auth/') || pathname.startsWith('/api/public/')) return;
+
+  // Is this request cookie-authenticated? Check both possible cookie names
+  // (`__Secure-`-prefixed in prod / HTTPS, bare otherwise) so we don't depend on
+  // env detection being perfectly in sync — if EITHER is present, treat it as a
+  // cookie-auth attempt and enforce the origin check.
+  const hasSessionCookie =
+    getCookie(event, getBetterAuthSessionCookieName(true)) !== undefined ||
+    getCookie(event, getBetterAuthSessionCookieName(false)) !== undefined;
+
+  // No session cookie => not cookie-CSRF-able (bearer / public / anonymous). Pass.
+  if (!hasSessionCookie) return;
+
+  const requestHost = url.host;
+
+  // Prefer Origin (sent on all CORS-relevant requests incl. same-origin fetch);
+  // fall back to Referer for environments/requests that omit Origin.
+  const originHeader = getRequestHeader(event, 'origin');
+  const originHost = hostOf(originHeader);
+
+  if (originHost !== null) {
+    if (originHost !== requestHost) {
+      throw createError({ statusCode: 403, statusMessage: 'CSRF origin check failed' });
+    }
+    return;
+  }
+
+  const refererHost = hostOf(getRequestHeader(event, 'referer'));
+  if (refererHost !== null) {
+    if (refererHost !== requestHost) {
+      throw createError({ statusCode: 403, statusMessage: 'CSRF origin check failed' });
+    }
+    return;
+  }
+
+  // Cookie-authenticated unsafe request with NO Origin AND NO Referer: cannot be
+  // proven same-origin, so reject. Legitimate browser XHR/fetch always sends one.
+  throw createError({ statusCode: 403, statusMessage: 'CSRF origin check failed' });
+});