Debugging 403 forbidden when using NextJS / Rewrites

[neosavvy]

Hi:

I'm building a payment gateway using Stripe, Stytch, and hopefully Keygen. I have my stripe integration/payment flow working. It calls into a Webhook hosted by NextJS/Vercel. Sadly they force all external API communications to go through a NextJS rewrite layer (think a not-as-good-proxypass).

I'm curious if you have any way to see what's going wrong on the Keygen side when I make a call from my web app -> NextJS -> Rewrite -> Keygen.

I can pretty easily reproduce the issue with a Curl request - one that works (directly calling Keygen) then calling through my NextJS rewrite - I get a 403. I suspect the headers are all getting stripped off, but no great way to tell.

Anyways - looking forward to some feedback as I'm totally stuck and may have to temporarily bail on Keygen integration so I can test my potential customer's excitement around the meat and potatoes of what I do (building APIs)

I dig what you have going, hope we can work something out so I can use all the other great administrative features I'd get if I can use these licensing tools.

-Adam

[ezekg]

Thanks for the report here. This is a first. Per our email convo — this was caused by Vercel sending an X-Forwarded-Host that was not equal to api.keygen.sh. The host value, likely localhost or similar, was being rejected by our Rails app since that host is not allowed. As stated earlier, our application only allows a api.keygen.sh host. But what was odd here is that Rails cares about the proxied host by default. For us, we don't care about proxies and what the original host was.

To fix this, we've adjusted our Rails app to ignore the X-Forwarded-Host header entirely, since we don't use it, and we definitely don't want to reject valid requests based on the proxy host, only the actual Host.

Vercel is acting as a good proxy here by setting X-Forwarded-Host.