auth-backend: fix origin verification
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
This commit is contained in:
@@ -0,0 +1,5 @@
|
||||
---
|
||||
'@backstage/plugin-auth-backend': patch
|
||||
---
|
||||
|
||||
Fix an issue where the default app origin was not allowed to authenticate users.
|
||||
@@ -36,7 +36,7 @@ export type AuthProviderConfig = {
|
||||
appUrl: string;
|
||||
|
||||
/**
|
||||
* A function that is called to check whether an origin other than the apps default one is allowed.
|
||||
* A function that is called to check whether an origin is allowed to receive the authentication result.
|
||||
*/
|
||||
isOriginAllowed: (origin: string) => boolean;
|
||||
};
|
||||
|
||||
@@ -18,27 +18,35 @@ import { ConfigReader } from '@backstage/config';
|
||||
import { createOriginFilter } from './router';
|
||||
|
||||
describe('Auth origin filtering', () => {
|
||||
const defaultConfigOptions = {
|
||||
const config = new ConfigReader({
|
||||
app: {
|
||||
baseUrl: 'http://example.com/extra-path',
|
||||
},
|
||||
auth: {
|
||||
experimentalExtraAllowedOrigins: ['https://test-*.example.net'],
|
||||
},
|
||||
};
|
||||
const defaultConfig = () => new ConfigReader(defaultConfigOptions);
|
||||
const getOptionalString = jest.fn();
|
||||
const config = defaultConfig();
|
||||
config.getOptionalString = getOptionalString;
|
||||
});
|
||||
|
||||
it('Will explode, invalid origin', () => {
|
||||
const origin = 'https://test.example.net';
|
||||
expect(createOriginFilter(config)(origin)).toBeFalsy();
|
||||
});
|
||||
|
||||
it('Will explode, invalid origin domain', () => {
|
||||
const origin = 'https://test-1234.examplee.net';
|
||||
expect(createOriginFilter(config)(origin)).toBeFalsy();
|
||||
});
|
||||
|
||||
it("Won't explode, uses app origin", () => {
|
||||
const origin = 'http://example.com';
|
||||
expect(createOriginFilter(config)(origin)).toBeTruthy();
|
||||
});
|
||||
|
||||
it("Won't explode, valid origin with numbers", () => {
|
||||
const origin = 'https://test-1234.example.net';
|
||||
expect(createOriginFilter(config)(origin)).toBeTruthy();
|
||||
});
|
||||
|
||||
it("Won't explode, valid origin with chars and numbers", () => {
|
||||
const origin = 'https://test-test1234.example.net';
|
||||
expect(createOriginFilter(config)(origin)).toBeTruthy();
|
||||
|
||||
@@ -165,18 +165,22 @@ export async function createRouter({
|
||||
export function createOriginFilter(
|
||||
config: Config,
|
||||
): (origin: string) => boolean {
|
||||
const appUrl = config.getString('app.baseUrl');
|
||||
const { origin: appOrigin } = new URL(appUrl);
|
||||
|
||||
const allowedOrigins = config.getOptionalStringArray(
|
||||
'auth.experimentalExtraAllowedOrigins',
|
||||
);
|
||||
if (!allowedOrigins || allowedOrigins.length === 0) {
|
||||
return () => false;
|
||||
}
|
||||
|
||||
const allowedOriginPatterns = allowedOrigins.map(
|
||||
pattern => new Minimatch(pattern, { nocase: true, noglobstar: true }),
|
||||
);
|
||||
const allowedOriginPatterns =
|
||||
allowedOrigins?.map(
|
||||
pattern => new Minimatch(pattern, { nocase: true, noglobstar: true }),
|
||||
) ?? [];
|
||||
|
||||
return origin => {
|
||||
if (origin === appOrigin) {
|
||||
return true;
|
||||
}
|
||||
return allowedOriginPatterns.some(pattern => pattern.match(origin));
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user