Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add advanced setting for enabling plain HTTP domains #403

Merged
merged 15 commits into from
Feb 10, 2025
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
*.untracked.*
node-compile-cache/


*.cpuprofile


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,15 @@ import { FormDialog } from "@/components/form-dialog";
import { InputField, SwitchField } from "@/components/form-fields";
import { SettingCard, SettingSwitch } from "@/components/settings";
import { AdminDomainConfig, AdminProject } from "@stackframe/stack";
import { urlSchema } from "@stackframe/stack-shared/dist/schema-fields";
import { isValidUrl } from "@stackframe/stack-shared/dist/utils/urls";
import { createUrlIfValid, isValidUrl } from "@stackframe/stack-shared/dist/utils/urls";
import { Accordion, AccordionContent, AccordionItem, AccordionTrigger, ActionCell, ActionDialog, Alert, Button, Table, TableBody, TableCell, TableHead, TableHeader, TableRow, Typography } from "@stackframe/stack-ui";
import React from "react";
import * as yup from "yup";
import { PageLayout } from "../page-layout";
import { useAdminApp } from "../use-admin-app";

const DOMAIN_REGEX = /^(((?!-))(xn--|_)?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$/;

function EditDialog(props: {
open?: boolean,
onOpenChange?: (open: boolean) => void,
Expand All @@ -30,9 +31,13 @@ function EditDialog(props: {
}
)) {
const domainFormSchema = yup.object({
domain: urlSchema
.url("Invalid URL")
.transform((value) => 'https://' + value)
domain: yup.string()
.test('is-domain', "Invalid Domain", (domain) => {
if (!domain) {
return true;
}
const urlIfValid = createUrlIfValid(`https://${domain}`);
return !!urlIfValid && urlIfValid.hostname === domain; })
.notOneOf(
props.domains
.filter((_, i) => (props.type === 'update' && i !== props.editIndex) || props.type === 'create')
Expand All @@ -44,6 +49,7 @@ function EditDialog(props: {
.matches(/^\//, "Handler path must start with /")
.defined(),
addWww: yup.boolean(),
allowInsecureHttp: yup.boolean(),
});

const canAddWww = (domain: string | undefined) => {
Expand Down Expand Up @@ -71,6 +77,7 @@ function EditDialog(props: {
addWww: props.type === 'create',
domain: props.type === 'update' ? props.defaultDomain.replace(/^https:\/\//, "") : undefined,
handlerPath: props.type === 'update' ? props.defaultHandlerPath : "/handler",
allowInsecureHttp: false,
}}
onOpenChange={props.onOpenChange}
trigger={props.trigger}
Expand All @@ -84,11 +91,11 @@ function EditDialog(props: {
domains: [
...props.domains,
{
domain: values.domain,
domain: (values.allowInsecureHttp ? 'http' : 'https') + `://` + values.domain,
handlerPath: values.handlerPath,
},
...(canAddWww(values.domain.slice(8)) && values.addWww ? [{
domain: 'https://www.' + values.domain.slice(8),
...(canAddWww(values.domain) && values.addWww ? [{
domain: `${values.allowInsecureHttp ? 'http' : 'https'}://www.` + values.domain,
handlerPath: values.handlerPath,
}] : []),
],
Expand Down Expand Up @@ -119,7 +126,7 @@ function EditDialog(props: {
label="Domain"
name="domain"
control={form.control}
prefixItem='https://'
prefixItem={form.getValues('allowInsecureHttp') ? 'http://' : 'https://'}
placeholder='example.com'
/>

Expand All @@ -145,6 +152,16 @@ function EditDialog(props: {
<Typography variant="secondary" type="footnote">
only modify this if you changed the default handler path in your app
</Typography>
<div className="my-4">
<SwitchField
label="Allow insecure HTTP domains"
name="allowInsecureHttp"
control={form.control}
/>
</div>
<Typography variant="secondary" type="footnote">
Warning: HTTP domains are insecure and should only be used for development / internal networks.
</Typography>
</AccordionContent>
</AccordionItem>
</Accordion>
Expand Down
100 changes: 100 additions & 0 deletions apps/e2e/tests/backend/endpoints/api/v1/projects.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,106 @@ it("is not allowed to have two identical domains", async ({ expect }) => {
`);
});

it("should allow insecure HTTP domains", async ({ expect }) => {
await Auth.Otp.signIn();
const { adminAccessToken } = await Project.createAndGetAdminToken();
const { updateProjectResponse: response } = await Project.updateCurrent(adminAccessToken, {
config: {
domains: [{
domain: 'http://insecure-domain.stack-test.example.com',
handler_path: '/handler'
}]
},
});
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": {
"config": {
"allow_localhost": true,
"client_team_creation_enabled": false,
"client_user_deletion_enabled": false,
"create_team_on_sign_up": false,
"credential_enabled": true,
"domains": [
{
"domain": "http://insecure-domain.stack-test.example.com",
"handler_path": "/handler",
},
],
"email_config": { "type": "shared" },
"enabled_oauth_providers": [],
"id": "<stripped UUID>",
"legacy_global_jwt_signing": false,
"magic_link_enabled": false,
"oauth_providers": [],
"passkey_enabled": false,
"sign_up_enabled": true,
"team_creator_default_permissions": [{ "id": "admin" }],
"team_member_default_permissions": [{ "id": "member" }],
},
"created_at_millis": <stripped field 'created_at_millis'>,
"description": "",
"display_name": "New Project",
"id": "<stripped UUID>",
"is_production_mode": false,
"user_count": 0,
},
"headers": Headers { <some fields may have been hidden> },
}
`);
});

it("should not allow protocols other than http(s) in trusted domains", async ({ expect }) => {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test description 'should not allow protocols other than http(s)' is inconsistent with the inline snapshot which still returns status 200 and includes the 'whatever://' protocol. Please verify if disallowed protocols should result in an error response.

await Auth.Otp.signIn();
const { adminAccessToken } = await Project.createAndGetAdminToken();
const { updateProjectResponse: response } = await Project.updateCurrent(adminAccessToken, {
config: {
domains: [{
domain: 'whatever://disallowed-domain.stack-test.example.com',
handler_path: '/handler'
}]
},
});
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": {
"config": {
"allow_localhost": true,
"client_team_creation_enabled": false,
"client_user_deletion_enabled": false,
"create_team_on_sign_up": false,
"credential_enabled": true,
"domains": [
{
"domain": "whatever://disallowed-domain.stack-test.example.com",
"handler_path": "/handler",
},
],
"email_config": { "type": "shared" },
"enabled_oauth_providers": [],
"id": "<stripped UUID>",
"legacy_global_jwt_signing": false,
"magic_link_enabled": false,
"oauth_providers": [],
"passkey_enabled": false,
"sign_up_enabled": true,
"team_creator_default_permissions": [{ "id": "admin" }],
"team_member_default_permissions": [{ "id": "member" }],
},
"created_at_millis": <stripped field 'created_at_millis'>,
"description": "",
"display_name": "New Project",
"id": "<stripped UUID>",
"is_production_mode": false,
"user_count": 0,
},
"headers": Headers { <some fields may have been hidden> },
}
`);
});

it("updates the project email configuration", async ({ expect }) => {
await Auth.Otp.signIn();
const { adminAccessToken } = await Project.createAndGetAdminToken();
Expand Down
3 changes: 2 additions & 1 deletion packages/stack-shared/src/interface/crud/projects.ts
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ export const emailConfigSchema = yupObject({
});

const domainSchema = yupObject({
domain: schemaFields.projectTrustedDomainSchema.defined(),
TheCactusBlue marked this conversation as resolved.
Show resolved Hide resolved
domain: schemaFields.urlSchema.defined()
.meta({ openapiField: { description: 'URL. Must either start with https:// or', exampleValue: 'https://example.com' } }),
handler_path: schemaFields.handlerPathSchema.defined(),
});

Expand Down
1 change: 0 additions & 1 deletion packages/stack-shared/src/schema-fields.ts
Original file line number Diff line number Diff line change
Expand Up @@ -288,7 +288,6 @@ export const emailUsernameSchema = yupString().meta({ openapiField: { descriptio
export const emailSenderEmailSchema = emailSchema.meta({ openapiField: { description: 'Email sender email. Needs to be specified when using type="standard"', exampleValue: '[email protected]' } });
export const emailPasswordSchema = passwordSchema.meta({ openapiField: { description: 'Email password. Needs to be specified when using type="standard"', exampleValue: 'your-email-password' } });
// Project domain config
export const projectTrustedDomainSchema = urlSchema.test('is-https', 'Trusted domain must start with https://', (value) => value?.startsWith('https://')).meta({ openapiField: { description: 'Your domain URL. Make sure you own and trust this domain. Needs to start with https://', exampleValue: 'https://example.com' } });
export const handlerPathSchema = yupString().test('is-handler-path', 'Handler path must start with /', (value) => value?.startsWith('/')).meta({ openapiField: { description: 'Handler path. If you did not setup a custom handler path, it should be "/handler" by default. It needs to start with /', exampleValue: '/handler' } });

// Users
Expand Down
Loading