Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

Include Origin header depending on the call site

Browse Source
This commit is contained in:
fflorent 2024-04-22 19:14:42 +02:00
parent 3722fcddf3
commit 85fcfae7c5
7 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/common/gristUrls.ts
View File

@ -185,7 +185,7 @@ export interface OrgUrlInfo {
orgInPath?: string; // If /o/{orgInPath} should be used to access the requested org. orgInPath?: string; // If /o/{orgInPath} should be used to access the requested org.
} }
export function hostMatchesUrl(host?: string, url?: string) { function hostMatchesUrl(host?: string, url?: string) {
return host !== undefined && url !== undefined && new URL(url).host === host; return host !== undefined && url !== undefined && new URL(url).host === host;
} }

2
app/gen-server/lib/DocApiForwarder.ts
View File

@ -104,7 +104,7 @@ export class DocApiForwarder {
url.pathname = removeTrailingSlash(docWorkerUrl.pathname) + url.pathname; url.pathname = removeTrailingSlash(docWorkerUrl.pathname) + url.pathname;
const headers: {[key: string]: string} = { const headers: {[key: string]: string} = {
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: true }),
'Content-Type': req.get('Content-Type') || 'application/json', 'Content-Type': req.get('Content-Type') || 'application/json',
}; };
for (const key of ['X-Sort', 'X-Limit']) { for (const key of ['X-Sort', 'X-Limit']) {

2
app/server/lib/AppEndpoint.ts
View File

@ -149,7 +149,7 @@ export function attachAppEndpoint(options: AttachOptions): void {
// TODO docWorkerMain needs to serve app.html, perhaps with correct base-href already set. // TODO docWorkerMain needs to serve app.html, perhaps with correct base-href already set.
const headers = { const headers = {
Accept: 'application/json', Accept: 'application/json',
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: true }),
}; };
const workerInfo = await getWorker(docWorkerMap, docId, `/${docId}/app.html`, {headers}); const workerInfo = await getWorker(docWorkerMap, docId, `/${docId}/app.html`, {headers});
docStatus = workerInfo.docStatus; docStatus = workerInfo.docStatus;

10
app/server/lib/Authorizer.ts
View File

@ -677,7 +677,10 @@ export function assertAccess(
* Pull out headers to pass along to a proxied service. Focused primarily on * Pull out headers to pass along to a proxied service. Focused primarily on
* authentication. * authentication.
*/ */
export function getTransitiveHeaders(req: Request): {[key: string]: string} { export function getTransitiveHeaders(
req: Request,
{ includeOrigin }: { includeOrigin: boolean }
): {[key: string]: string} {
const Authorization = req.get('Authorization'); const Authorization = req.get('Authorization');
const Cookie = req.get('Cookie'); const Cookie = req.get('Cookie');
const PermitHeader = req.get('Permit'); const PermitHeader = req.get('Permit');
@ -685,8 +688,6 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
const XRequestedWith = req.get('X-Requested-With'); const XRequestedWith = req.get('X-Requested-With');
const Origin = req.get('Origin'); // Pass along the original Origin since it may const Origin = req.get('Origin'); // Pass along the original Origin since it may
// play a role in granular access control. // play a role in granular access control.
const Host = req.get('Host'); // Also pass along the original Host, as we need it since
// the destination compares that with the Origin header.
const result: Record<string, string> = { const result: Record<string, string> = {
...(Authorization ? { Authorization } : undefined), ...(Authorization ? { Authorization } : undefined),
@ -694,8 +695,7 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
...(Organization ? { Organization } : undefined), ...(Organization ? { Organization } : undefined),
...(PermitHeader ? { Permit: PermitHeader } : undefined), ...(PermitHeader ? { Permit: PermitHeader } : undefined),
...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined), ...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined),
...(Origin ? { Origin } : undefined), ...((includeOrigin && Origin) ? { Origin } : undefined),
...(Host ? { Host } : undefined),
}; };
const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER; const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER;
const extraHeaderValue = extraHeader && req.get(extraHeader); const extraHeaderValue = extraHeader && req.get(extraHeader);

8
app/server/lib/DocApi.ts
View File

@ -1102,7 +1102,7 @@ export class DocWorkerApi {
const result = await fetch(homeUrl, { const result = await fetch(homeUrl, {
method: 'GET', method: 'GET',
headers: { headers: {
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: false }),
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
}); });
@ -1115,7 +1115,7 @@ export class DocWorkerApi {
await fetch(this._grist.getHomeInternalUrl(`/api/docs/${options.sourceDocId}/flush`), { await fetch(this._grist.getHomeInternalUrl(`/api/docs/${options.sourceDocId}/flush`), {
method: 'POST', method: 'POST',
headers: { headers: {
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: false }),
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
}); });
@ -1173,7 +1173,7 @@ export class DocWorkerApi {
const {states} = await this._getStates(docSession, activeDoc); const {states} = await this._getStates(docSession, activeDoc);
const ref = await fetch(this._grist.getHomeInternalUrl(`/api/docs/${req.params.docId2}/states`), { const ref = await fetch(this._grist.getHomeInternalUrl(`/api/docs/${req.params.docId2}/states`), {
headers: { headers: {
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: false }),
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
}); });
@ -1202,7 +1202,7 @@ export class DocWorkerApi {
const url = `/api/docs/${req.params.docId2}/compare?left=${parent.h}`; const url = `/api/docs/${req.params.docId2}/compare?left=${parent.h}`;
const rightChangesReq = await fetch(this._grist.getHomeInternalUrl(url), { const rightChangesReq = await fetch(this._grist.getHomeInternalUrl(url), {
headers: { headers: {
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: false }),
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
}); });

2
app/server/lib/FlexServer.ts
View File

@ -2436,7 +2436,7 @@ export class FlexServer implements GristServer {
const copyDocUrl = this.getHomeInternalUrl('/api/docs'); const copyDocUrl = this.getHomeInternalUrl('/api/docs');
const response = await fetch(copyDocUrl, { const response = await fetch(copyDocUrl, {
headers: { headers: {
...getTransitiveHeaders(req), ...getTransitiveHeaders(req, { includeOrigin: false }),
'Content-Type': 'application/json', 'Content-Type': 'application/json',
}, },
method: 'POST', method: 'POST',

2
app/server/lib/uploads.ts
View File

@ -420,7 +420,7 @@ export async function fetchDoc(
template: boolean template: boolean
): Promise<UploadResult> { ): Promise<UploadResult> {
// Prepare headers that preserve credentials of current user. // Prepare headers that preserve credentials of current user.
const headers = getTransitiveHeaders(req); const headers = getTransitiveHeaders(req, { includeOrigin: false });
// Passing the Origin header would serve no purpose here, as we are // Passing the Origin header would serve no purpose here, as we are
// constructing an internal request to fetch from our own doc worker // constructing an internal request to fetch from our own doc worker