Merge pull request #632 from openstad/fix/always-allow-base-url-domain

Fix/always allow base url domain
openstad · Nov 6, 2024 · 7149e5c · 7149e5c
2 parents 1d63f21 + 914ae4f
commit 7149e5c
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 3 deletions.
diff --git a/apps/api-server/src/adapter/oidc/router.js b/apps/api-server/src/adapter/oidc/router.js
@@ -239,11 +239,25 @@ router
 
     // todo: deze afvanging moet veel eerder!!!
     const isAllowedRedirectDomain = (url, allowedDomains) => {
+      allowedDomains = allowedDomains || [];
+
+      try {
+        const baseUrlHost = process.env.BASE_DOMAIN || process.env.HOSTNAME;
+
+        if ( !!baseUrlHost ) {
+          allowedDomains.push(baseUrlHost);
+          allowedDomains.push('auth.' + baseUrlHost);
+          allowedDomains.push('api.' + baseUrlHost);
+          allowedDomains.push('admin.' + baseUrlHost);
+        }
+      } catch(err) {
+        console.error('Error processing allowed domains:', err);
+      }
+
       let redirectUrlHost = '';
       try {
         redirectUrlHost = new URL(url).hostname;
-      } catch (err) {
-      }
+      } catch (err) {}
 
       // throw error if allowedDomains is empty or the redirectURI's host is not present in the allowed domains
       return allowedDomains && allowedDomains.indexOf(redirectUrlHost) !== -1;

diff --git a/apps/api-server/src/adapter/openstad/router.js b/apps/api-server/src/adapter/openstad/router.js
@@ -128,6 +128,20 @@ router
 
     const isAllowedRedirectDomain = (url, project) => {
       let allowedDomains = project?.config?.allowedDomains || [];
+
+      try {
+        const baseUrlHost = process.env.BASE_DOMAIN || process.env.HOSTNAME;
+
+        if ( !!baseUrlHost ) {
+          allowedDomains.push(baseUrlHost);
+          allowedDomains.push('auth.' + baseUrlHost);
+          allowedDomains.push('api.' + baseUrlHost);
+          allowedDomains.push('admin.' + baseUrlHost);
+        }
+      } catch(err) {
+        console.error('Error processing allowed domains:', err);
+      }
+
       if (project.url) {
         try {
           let projectDomain = new URL(project.url).hostname;

diff --git a/apps/api-server/src/middleware/security-headers.js b/apps/api-server/src/middleware/security-headers.js
@@ -11,6 +11,21 @@ module.exports = function( req, res, next ) {
 	} catch(err) {	}
 
 	let allowedDomains = (req.project && req.project.config && req.project.config.allowedDomains) || config.allowedDomains;
+	allowedDomains = allowedDomains || [];
+
+	try {
+		const baseUrlHost = process.env.BASE_DOMAIN || process.env.HOSTNAME;
+
+		if ( !!baseUrlHost ) {
+			allowedDomains.push(baseUrlHost);
+			allowedDomains.push('auth.' + baseUrlHost);
+			allowedDomains.push('api.' + baseUrlHost);
+			allowedDomains.push('admin.' + baseUrlHost);
+		}
+	} catch(err) {
+		console.error('Error processing allowed domains:', err);
+	}
+
 	if ( !allowedDomains || allowedDomains.indexOf(domain) === -1) {
 		url = config.url || req.protocol + '://' + req.hostname;
 	}

diff --git a/apps/api-server/src/services/isRedirectAllowed.js b/apps/api-server/src/services/isRedirectAllowed.js
@@ -5,6 +5,20 @@ const isRedirectAllowed = async (projectId, redirectUri) => {
     const project = await db.Project.findByPk(projectId);
     if(!project) return false;
     let allowedDomains = project?.config?.allowedDomains || [];
+
+    try {
+        const baseUrlHost = process.env.BASE_DOMAIN || process.env.HOSTNAME;
+
+        if ( !!baseUrlHost ) {
+            allowedDomains.push(baseUrlHost);
+            allowedDomains.push('auth.' + baseUrlHost);
+            allowedDomains.push('api.' + baseUrlHost);
+            allowedDomains.push('admin.' + baseUrlHost);
+        }
+    } catch(err) {
+        console.error('Error processing allowed domains:', err);
+    }
+
     allowedDomains = allowedDomains.map(domain => {
         // check if url has http or https and add http if not
         if(!domain.startsWith('http://') && !domain.startsWith('https://')){

diff --git a/apps/auth-server/controllers/oauth/oauth2.js b/apps/auth-server/controllers/oauth/oauth2.js
@@ -174,9 +174,24 @@ exports.authorization = [
         /**
          * Check if redirectURI same host as registered
          */
-        const allowedDomains = client.allowedDomains ? client.allowedDomains : false;
+        const allowedDomains = client.allowedDomains ? client.allowedDomains : [];
         const redirectUrlHost = new URL(redirectURI).hostname;
 
+        try {
+          let baseUrlHost = process.env.APP_URL || '';
+
+          if (baseUrlHost) {
+            baseUrlHost = baseUrlHost.replace(/^(https?:\/\/)?(www\.)?(auth\.)?/, '');
+
+            allowedDomains.push(baseUrlHost);
+            allowedDomains.push('auth.' + baseUrlHost);
+            allowedDomains.push('api.' + baseUrlHost);
+            allowedDomains.push('admin.' + baseUrlHost);
+          }
+        } catch (err) {
+          console.error('Error processing allowed domains:', err);
+        }
+
         //console.log('===> allowedDomains', allowedDomains, redirectUrlHost);
 
         // throw error if allowedDomains is empty or the redirectURI's host is not present in the allowed domains