From 8c4365e5b7fe277003b0a5c037283d627edca150 Mon Sep 17 00:00:00 2001
From: Christopher Tauchen <chris.tauchen@tigera.io>
Date: Thu, 2 Apr 2026 16:09:35 +0100
Subject: [PATCH] Inject x-proxy-secret header when proxying to tag site

After successful authentication, the proxy request to the tag site now
includes the shared PROXY_SECRET header so the tag site can verify the
request came through the main site's auth layer.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 netlify/edge-functions/tag-auth.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/netlify/edge-functions/tag-auth.js b/netlify/edge-functions/tag-auth.js
index 03d11ba092..2e72bba4c3 100644
--- a/netlify/edge-functions/tag-auth.js
+++ b/netlify/edge-functions/tag-auth.js
@@ -10,13 +10,15 @@ export default async (request, context) => {
 
   const cookie = request.headers.get('cookie') || '';
 
-  // Already authenticated — proxy to the private site
+  // Already authenticated — proxy to the private site with shared secret
   if (cookie.includes('tag_auth=authorized')) {
     const url = new URL(request.url);
     const path = url.pathname.replace(/^\/tag/, '') || '/';
     const target = `https://tag-docs-tigera.netlify.app/tag${path}${url.search}`;
+    const proxyHeaders = new Headers(request.headers);
+    proxyHeaders.set('x-proxy-secret', Netlify.env.get('PROXY_SECRET'));
     return fetch(target, {
-      headers: request.headers,
+      headers: proxyHeaders,
     });
   }