From 93e60f7b0e524153d1cb16f95b17ca8208c7c219 Mon Sep 17 00:00:00 2001 From: Alex Thillen Date: Thu, 20 Jul 2023 00:04:03 +0200 Subject: [PATCH] add trusted-origins cli argument (#6319) --- src/node/cli.ts | 6 ++++++ src/node/http.ts | 5 +++++ test/unit/node/http.test.ts | 1 + 3 files changed, 12 insertions(+) diff --git a/src/node/cli.ts b/src/node/cli.ts index 37ff3628b..3f3c8086d 100644 --- a/src/node/cli.ts +++ b/src/node/cli.ts @@ -79,6 +79,7 @@ export interface UserProvidedArgs extends UserProvidedCodeArgs { "bind-addr"?: string socket?: string "socket-mode"?: string + "trusted-origins"?: string[] version?: boolean "proxy-domain"?: string[] "reuse-window"?: boolean @@ -208,6 +209,11 @@ export const options: Options> = { socket: { type: "string", path: true, description: "Path to a socket (bind-addr will be ignored)." }, "socket-mode": { type: "string", description: "File mode of the socket." }, + "trusted-origins": { + type: "string[]", + description: + "Disables authenticate origin check for trusted origin. Useful if not able to access reverse proxy configuration.", + }, version: { type: "boolean", short: "v", description: "Display version information." }, _: { type: "string[]" }, diff --git a/src/node/http.ts b/src/node/http.ts index 1885fef56..4158f0b81 100644 --- a/src/node/http.ts +++ b/src/node/http.ts @@ -355,6 +355,11 @@ export function authenticateOrigin(req: express.Request): void { throw new Error(`unable to parse malformed origin "${originRaw}"`) } + const trustedOrigins = req.args["trusted-origins"] || [] + if (trustedOrigins.includes(origin) || trustedOrigins.includes("*")) { + return + } + const host = getHost(req) if (typeof host === "undefined") { // A missing host likely means the reverse proxy has not been configured to diff --git a/test/unit/node/http.test.ts b/test/unit/node/http.test.ts index 59a09dc87..d15633a28 100644 --- a/test/unit/node/http.test.ts +++ b/test/unit/node/http.test.ts @@ -70,6 +70,7 @@ describe("http", () => { origin: test.origin, [key]: value, }, + args: {}, }) if (typeof test.expected === "string") { expect(() => http.authenticateOrigin(req)).toThrow(test.expected)