Glad you made some progress!
Now that you’ve got it working, I’d recommend trying to layer back in some of the security.
You can keep an origin check by explicitly checking it against a known good list or maybe simply ‘localhost’ depending on your case? I’m unsure what the download case will send as an origin, but you can check it at that same spot and set the header accordingly. Something like:
const origins = new Set(['localhost:8080', 'internal.name.test:3000']);
if (origins.has(req.headers.origin))
res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
This will protect against any random website you visit testing localhost for anything that responds and running things against it. Without the origin check, your browser + self-hosted proxy will happily send it data.
And, secret-wise, I’d also recommend generating your own random value and using that as an additional check via an Authorization header. So replacing database-proxy/server.js at main · observablehq/database-proxy · GitHub with something like:
if (authorization !== 'randomsecretvalue')
throw unauthorized('Invalid authorization');
and pass the value via fetch:
fetch('http://127.0.0.1:2899/query', {
headers: { authorization: 'token randomsecretvalue' },
body: ...
});
This will protect slightly further against data exfiltration. It’s definitely not perfect since that secret isn’t stored very well, but it’s at least another layer.
Like @Cobus said, let us know how it goes and if you have ideas on how to make the database-proxy side simpler for this case.