fix(web): Map API トークンエンドポイントに Origin チェックを追加 (SOR-28)

[Sora4431]

Summary

• /api/google-maps/token, /api/mapbox/token, /api/mapbox/geocode に Origin/Referer ヘッダー検証を追加
• tabitabi サイト経由以外のリクエスト（curl、別サイト等）を 403 で拒否
• ALLOWED_ORIGINS 環境変数でカスタマイズ可能、dev モードではスキップ

Test plan

• validateOrigin のユニットテスト 9件追加（全パス）
• 本番デプロイ後、curl で直接 /api/google-maps/token を叩いて 403 が返ることを確認
• ブラウザから地図が今まで通り表示されることを確認

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds server-side Origin/Referer validation to Map API proxy/token endpoints to reduce off-site usage, with an ALLOWED_ORIGINS allowlist and dev-mode bypass.

Changes:

• Introduces validateOrigin(request) helper to enforce Origin/Referer checks (and allowlist via ALLOWED_ORIGINS).
• Applies validateOrigin to /api/google-maps/token, /api/mapbox/token, and /api/mapbox/geocode.
• Adds Vitest unit tests covering key allow/deny paths for validateOrigin.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
apps/web/src/routes/api/mapbox/token/+server.ts	Calls validateOrigin before returning Mapbox token JSON.
apps/web/src/routes/api/mapbox/geocode/+server.ts	Adds validateOrigin to geocode endpoint handler.
apps/web/src/routes/api/google-maps/token/+server.ts	Calls validateOrigin before returning Google Maps API key JSON.
apps/web/src/lib/server/validate-origin.ts	New shared validation utility for Origin/Referer allow/deny decisions.
apps/web/src/lib/server/validate-origin.test.ts	New unit tests for validateOrigin.

[Copilot]

new URL(referer) can throw (e.g., malformed/relative Referer header). That would bubble up as a 500 instead of a 403. Consider wrapping the URL parsing in a try/catch and treating invalid Referer as missing/forbidden (or ignore it and fall back to Origin).

Suggested change

	const requestOrigin = origin ?? (referer ? new URL(referer).origin : null);
	let requestOrigin = origin;
	if (!requestOrigin && referer) {
	try {
	requestOrigin = new URL(referer).origin;
	} catch {
	requestOrigin = null;
	}
	}

[Copilot]

x-forwarded-proto commonly contains a comma-separated list (e.g. "https,http"). Using it verbatim will produce an invalid selfOrigin and can cause false 403s. Consider normalizing it (take the first value and trim), or derive selfOrigin from new URL(request.url).origin (or event.url.origin) to avoid proxy/header quirks.

Suggested change

	const host = request.headers.get('host');
	if (!host) {
	throw error(403, 'Forbidden');
	}
	const protocol = request.headers.get('x-forwarded-proto') ?? 'https';
	const selfOrigin = `${protocol}://${host}`;
	const selfOrigin = new URL(request.url).origin;

[Copilot]

PR description says direct curl requests will be rejected, but this check relies on Origin/Referer values that any client (including curl) can spoof. If the intent is to enforce a real access boundary, consider adding an additional server-side control (e.g., session/auth check, signed nonce, or rate limiting) or update the description to clarify this is a best-effort browser-origin check rather than strong protection.

[Copilot]

Missing test case for malformed referer (e.g. referer: 'not-a-url' or relative URL). As implemented, new URL(referer) would throw and likely surface as a 500. Adding a test that asserts these inputs are handled as 403 (or otherwise gracefully rejected) would prevent regressions.

Suggested change

	it('rejects requests with malformed Referer values', () => {
	const malformedReferers = ['not-a-url', '/relative/path'];
	for (const referer of malformedReferers) {
	const req = createRequest({
	referer,
	host: 'example.com',
	});
	expect(() => validateOrigin(req)).toThrow();
	}
	});

[Sora4431]

Copilot コメント 3点対応しました:

1. Referer パース安全化 — new URL(referer) を try/catch で囲み、不正な Referer は 403 として処理
2. selfOrigin 取得改善 — x-forwarded-proto + host の組み立てを new URL(request.url).origin に変更
3. スプーフィングについて — Origin/Referer チェックはブラウザレベルの best-effort 防御です。APIキー側のリファラー制限は SOR-31 として別途対応予定

malformed Referer のテストケースも追加済みです。