|
|
@ -103,6 +103,12 @@ export function allowHost(req: IncomingMessage, allowedHost: string|URL) {
|
|
|
|
const proto = getEndUserProtocol(req);
|
|
|
|
const proto = getEndUserProtocol(req);
|
|
|
|
const actualUrl = new URL(getOriginUrl(req));
|
|
|
|
const actualUrl = new URL(getOriginUrl(req));
|
|
|
|
const allowedUrl = (typeof allowedHost === 'string') ? new URL(`${proto}://${allowedHost}`) : allowedHost;
|
|
|
|
const allowedUrl = (typeof allowedHost === 'string') ? new URL(`${proto}://${allowedHost}`) : allowedHost;
|
|
|
|
|
|
|
|
log.rawDebug('allowHost: ', {
|
|
|
|
|
|
|
|
req: (new URL(req.url!, `http://${req.headers.host}`).href),
|
|
|
|
|
|
|
|
origin: req.headers.origin,
|
|
|
|
|
|
|
|
actualUrl: actualUrl.hostname,
|
|
|
|
|
|
|
|
allowedUrl: allowedUrl.hostname,
|
|
|
|
|
|
|
|
});
|
|
|
|
if ((req as RequestWithOrg).isCustomHost) {
|
|
|
|
if ((req as RequestWithOrg).isCustomHost) {
|
|
|
|
// For a request to a custom domain, the full hostname must match.
|
|
|
|
// For a request to a custom domain, the full hostname must match.
|
|
|
|
return actualUrl.hostname === allowedUrl.hostname;
|
|
|
|
return actualUrl.hostname === allowedUrl.hostname;
|
|
|
|