feat: verifyOrigin flag (#436)

* feat: verify origin flag

* chore: changesets

* nit: typedoc

* fix: types

.changeset/strange-paws-yell.md

@@ -0,0 +1,5 @@
+---
+"frog": patch
+---
+
+Added `verifyOrigin` flag to `Frog` constructor.

src/frog-base.tsx

@@ -178,9 +178,15 @@ export type FrogConstructorParameters<
      * Instead, the frame will receive `verified: false` in its context.
      * - When `false`, the frame will not go through verification.
      *
-     * @default true.
+     * @default process.env.NODE_ENV === 'production'.
      */
     verify?: boolean | 'silent' | undefined
+    /**
+     * Whether or not to verify frame origin.
+     *
+     * @default process.env.NODE_ENV === 'production'.
+     */
+    verifyOrigin?: boolean | undefined
 
     /**
      * Additional meta tags for the instance.
@@ -297,6 +303,8 @@ export class FrogBase<
   /** Whether or not frames should be verified. */
   verify: FrogConstructorParameters['verify'] =
     process.env.NODE_ENV === 'production'
+  verifyOrigin: FrogConstructorParameters['verifyOrigin'] =
+    process.env.NODE_ENV === 'production'
 
   metaTags: FrogConstructorParameters['unstable_metaTags'] | undefined
 
@@ -322,6 +330,7 @@ export class FrogBase<
       ui,
       unstable_metaTags,
       verify,
+      verifyOrigin,
     } = parameters
 
     this.hono = new Hono<env, schema, basePath>(honoOptions)
@@ -338,6 +347,7 @@ export class FrogBase<
     this.title = title
     if (ui) this.ui = ui
     if (typeof verify !== 'undefined') this.verify = verify
+    if (typeof verifyOrigin !== 'undefined') this.verifyOrigin = verifyOrigin
 
     this.basePath = basePath ?? '/'
     // @ts-ignore - private
@@ -419,6 +429,7 @@ export class FrogBase<
             (this.hubApiUrl ? { apiUrl: this.hubApiUrl } : undefined),
           secret: this.secret,
           verify,
+          verifyOrigin: this.verifyOrigin,
         }),
       })
 

src/utils/requestBodyToContext.ts

@@ -13,6 +13,7 @@ type RequestBodyToContextOptions = {
   hub?: Hub | undefined
   secret?: FrogConstructorParameters['secret']
   verify?: FrogConstructorParameters['verify']
+  verifyOrigin?: FrogConstructorParameters['verifyOrigin']
 }
 
 type RequestBodyToContextReturnType<
@@ -31,7 +32,12 @@ export async function requestBodyToContext<
   _state = env['State'],
 >(
   c: Context_hono<env, path>,
-  { hub, secret, verify = true }: RequestBodyToContextOptions,
+  {
+    hub,
+    secret,
+    verify = true,
+    verifyOrigin = true,
+  }: RequestBodyToContextOptions,
 ): Promise<RequestBodyToContextReturnType<env, path, input, _state>> {
   const { trustedData, untrustedData } =
     (await c.req.json().catch(() => {})) || {}
@@ -61,6 +67,7 @@ export async function requestBodyToContext<
         frameUrl: untrustedData.url,
         trustedData,
         url: url.href,
+        verifyOrigin,
       })
       return { ...frameData, state: frameData.state || untrustedData.state }
     } catch (err) {

src/utils/verifyFrame.ts

@@ -11,6 +11,7 @@ export type VerifyFrameParameters = {
   hub: Hub
   trustedData: TrustedData
   url: string
+  verifyOrigin?: boolean
 }
 
 export type VerifyFrameReturnType = {
@@ -22,6 +23,7 @@ export async function verifyFrame({
   hub,
   trustedData,
   url,
+  verifyOrigin = true,
 }: VerifyFrameParameters): Promise<VerifyFrameReturnType> {
   const body = hexToBytes(`0x${trustedData.messageBytes}`)
 
@@ -42,7 +44,7 @@ export async function verifyFrame({
       `message is invalid. ${response.details || response.message}`,
     )
 
-  if (new URL(url).origin !== new URL(frameUrl).origin)
+  if (verifyOrigin && new URL(url).origin !== new URL(frameUrl).origin)
     throw new Error(`Invalid frame url: ${frameUrl}. Expected: ${url}.`)
 
   const message = Message.fromBinary(body)