enhance(play): add logging + distinguish runner responses

mdn · Feb 21, 2025 · 2bc2ca7 · 2bc2ca7
1 parent 7fa3147
commit 2bc2ca7
Showing 1 changed file with 28 additions and 11 deletions.
diff --git a/libs/play/index.js b/libs/play/index.js
@@ -346,22 +346,39 @@ export async function handleRunner(req, res) {
     "https://example.com"
   );
   const stateParam = url.searchParams.get("state");
+
+  if (!stateParam) {
+    console.warn("[runner] Missing state parameter");
+    return res.status(400).end();
+  }
+
   const { state, hash } = await decompressFromBase64(stateParam);
 
-  const isLocalhost = req.hostname === "localhost";
-  const hasMatchingHash = playSubdomain(req.hostname) === hash;
-  const isIframeOnMDN =
-    referer.hostname === ORIGIN_MAIN &&
-    req.headers["sec-fetch-dest"] === "iframe";
-
-  if (
-    !stateParam ||
-    !state ||
-    (!isLocalhost && !hasMatchingHash && !isIframeOnMDN)
-  ) {
+  if (!state) {
+    console.warn("[runner] Invalid state parameter");
     return res.status(404).end();
   }
 
+  if (req.hostname !== "localhost") {
+    const expectedHash = playSubdomain(req.hostname);
+
+    if (expectedHash !== hash) {
+      console.warn(
+        `[runner] Hash mismatch: ${JSON.stringify({ expectedHash, hash })}`
+      );
+
+      const isOnMDN = referer.hostname === ORIGIN_MAIN;
+      const isIframe = req.headers["sec-fetch-dest"] === "iframe";
+
+      if (!isOnMDN || !isIframe) {
+        console.warn(
+          `[runner] No iframe on MDN: ${JSON.stringify({ isOnMDN, isIframe })}`
+        );
+        return res.status(403).end();
+      }
+    }
+  }
+
   const json = JSON.parse(state);
   const codeParam = url.searchParams.get("code");
   const codeCookie = req.cookies["code"];