From a48cedb3f33754b62d9e4df32d8322991c2e32fe Mon Sep 17 00:00:00 2001
From: Alexander Klein <alexander.klein@logmein.com>
Date: Wed, 24 Feb 2021 10:40:21 +0100
Subject: [PATCH] fix(api): reject all metrics requests for invalid domains

Add check for requested metric type before domain name check.
Only the referrer metrics use the domain name; all other metrics should be unaffected.

This partly closes #503
---
 pages/api/website/[id]/metrics.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pages/api/website/[id]/metrics.js b/pages/api/website/[id]/metrics.js
index ef736ee0..c3d1f548 100644
--- a/pages/api/website/[id]/metrics.js
+++ b/pages/api/website/[id]/metrics.js
@@ -33,7 +33,7 @@ export default async (req, res) => {
 
     const { id, type, start_at, end_at, domain, url } = req.query;
 
-    if (domain && !DOMAIN_REGEX.test(domain)) {
+    if (type === 'referrer' && domain && !DOMAIN_REGEX.test(domain)) {
       return badRequest(res);
     }