Skip to content

feat: add faucet API route at /api/faucet#121

Merged
brendanjryan merged 5 commits intomainfrom
feat/faucet-api
Feb 26, 2026
Merged

feat: add faucet API route at /api/faucet#121
brendanjryan merged 5 commits intomainfrom
feat/faucet-api

Conversation

@brendanjryan
Copy link
Contributor

@brendanjryan brendanjryan commented Feb 26, 2026
edited
Loading

Adds a faucet API endpoint at docs.tempo.xyz/api/faucet so we can serve faucet requests directly from the docs site instead of requiring external curl commands.

Returns { data: [{ hash }], error: null } on success.

@vercel
Copy link

vercel bot commented Feb 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Feb 26, 2026 11:17pm
tempo-docs Ready Ready Preview, Comment Feb 26, 2026 11:17pm

Request Review

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 806745d90f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

src/pages/_api/api/faucet.ts Outdated
)
}

return fund(address.toLowerCase() as `0x${string}`, corsHeaders)
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Remove state-changing behavior from the GET faucet route

The GET handler directly calls fund(...), which makes a non-idempotent blockchain action triggerable by any cross-site request mechanism that does not require CORS (for example link prefetchers, crawlers, or an embedded <img src>). In production this can spend faucet capacity without explicit user intent, so funding should be limited to POST (or otherwise protected against automatic GET traffic).

Useful? React with 👍 / 👎.

src/pages/_api/api/faucet.ts
'Access-Control-Allow-Headers': 'Content-Type',
}

if (origin && allowedOrigins.some((allowed) => origin.startsWith(allowed)))
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Match CORS origins exactly instead of using startsWith

The CORS check uses origin.startsWith(allowed), so an attacker-controlled origin like https://docs.tempo.xyz.attacker.com passes the whitelist and receives Access-Control-Allow-Origin. This weakens the intended browser-origin restriction for this endpoint; compare parsed origins/hosts with exact trusted values (or enforce proper subdomain boundary checks) rather than prefix matching.

Useful? React with 👍 / 👎.

@brendanjryan brendanjryan merged commit cad7992 into main Feb 26, 2026
7 checks passed
@brendanjryan brendanjryan deleted the feat/faucet-api branch February 26, 2026 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendanjryan