internal/api: better multi-sites support; validate events against allowed domains

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: Iff1ced4966b4d42cfd6dfefb0cfd97696a6a6964
2026-03-01 14:27:20 +03:00 · 2026-03-01 14:27:20 +03:00 · 18fe1a8234
commit 18fe1a8234
parent 16ace569a0
10 changed files with 542 additions and 35 deletions
--- a/internal/api/event.go
+++ b/internal/api/event.go
@ -39,14 +39,22 @@ func ParseEvent(body io.Reader) (*Event, error) {
 	return &event, nil
 }

-// Validate checks if the event is valid for the given domain
-func (e *Event) Validate(expectedDomain string) error {
+// Validate checks if the event is valid for the given domains
+func (e *Event) Validate(allowedDomains []string) error {
 	if e.Domain == "" {
 		return fmt.Errorf("domain required")
 	}

-	if e.Domain != expectedDomain {
-		return fmt.Errorf("domain mismatch")
+	// Check if domain is in allowed list
+	allowed := false
+	for _, domain := range allowedDomains {
+		if e.Domain == domain {
+			allowed = true
+			break
+		}
+	}
+	if !allowed {
+		return fmt.Errorf("domain not allowed")
 	}

 	if e.Path == "" {