auth-backend: fix origin verification

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
This commit is contained in:
Patrik Oldsberg
2021-08-20 10:36:33 +02:00
parent 4693a4dfc2
commit 79d24a9665
4 changed files with 30 additions and 13 deletions
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-auth-backend': patch
---
Fix an issue where the default app origin was not allowed to authenticate users.
+1 -1
View File
@@ -36,7 +36,7 @@ export type AuthProviderConfig = {
appUrl: string;
/**
* A function that is called to check whether an origin other than the apps default one is allowed.
* A function that is called to check whether an origin is allowed to receive the authentication result.
*/
isOriginAllowed: (origin: string) => boolean;
};
@@ -18,27 +18,35 @@ import { ConfigReader } from '@backstage/config';
import { createOriginFilter } from './router';
describe('Auth origin filtering', () => {
const defaultConfigOptions = {
const config = new ConfigReader({
app: {
baseUrl: 'http://example.com/extra-path',
},
auth: {
experimentalExtraAllowedOrigins: ['https://test-*.example.net'],
},
};
const defaultConfig = () => new ConfigReader(defaultConfigOptions);
const getOptionalString = jest.fn();
const config = defaultConfig();
config.getOptionalString = getOptionalString;
});
it('Will explode, invalid origin', () => {
const origin = 'https://test.example.net';
expect(createOriginFilter(config)(origin)).toBeFalsy();
});
it('Will explode, invalid origin domain', () => {
const origin = 'https://test-1234.examplee.net';
expect(createOriginFilter(config)(origin)).toBeFalsy();
});
it("Won't explode, uses app origin", () => {
const origin = 'http://example.com';
expect(createOriginFilter(config)(origin)).toBeTruthy();
});
it("Won't explode, valid origin with numbers", () => {
const origin = 'https://test-1234.example.net';
expect(createOriginFilter(config)(origin)).toBeTruthy();
});
it("Won't explode, valid origin with chars and numbers", () => {
const origin = 'https://test-test1234.example.net';
expect(createOriginFilter(config)(origin)).toBeTruthy();
+10 -6
View File
@@ -165,18 +165,22 @@ export async function createRouter({
export function createOriginFilter(
config: Config,
): (origin: string) => boolean {
const appUrl = config.getString('app.baseUrl');
const { origin: appOrigin } = new URL(appUrl);
const allowedOrigins = config.getOptionalStringArray(
'auth.experimentalExtraAllowedOrigins',
);
if (!allowedOrigins || allowedOrigins.length === 0) {
return () => false;
}
const allowedOriginPatterns = allowedOrigins.map(
pattern => new Minimatch(pattern, { nocase: true, noglobstar: true }),
);
const allowedOriginPatterns =
allowedOrigins?.map(
pattern => new Minimatch(pattern, { nocase: true, noglobstar: true }),
) ?? [];
return origin => {
if (origin === appOrigin) {
return true;
}
return allowedOriginPatterns.some(pattern => pattern.match(origin));
};
}