Revert "fix(frontend): replace expected-origin-boundary with middleware"

This reverts commit 982bc4ba

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This commit is contained in:
Tilman Vatteroth 2023-09-10 15:11:59 +02:00
parent a5b7c1c62f
commit 11a47b6087
4 changed files with 73 additions and 86 deletions

View file

@ -9,6 +9,7 @@ import { BaseUrlContextProvider } from '../../components/common/base-url/base-ur
import { FrontendConfigContextProvider } from '../../components/common/frontend-config-context/frontend-config-context-provider'
import { MotdModal } from '../../components/global-dialogs/motd-modal/motd-modal'
import { DarkMode } from '../../components/layout/dark-mode/dark-mode'
import { ExpectedOriginBoundary } from '../../components/layout/expected-origin-boundary'
import { UiNotificationBoundary } from '../../components/notifications/ui-notification-boundary'
import { StoreProvider } from '../../redux/store-provider'
import { baseUrlFromEnvExtractor } from '../../utils/base-url-from-env-extractor'
@ -34,29 +35,29 @@ export default async function RootLayout({ children, appBar }: RootLayoutProps)
<link color='#b51f08' href='/icons/safari-pinned-tab.svg' rel='mask-icon' />
</head>
<body>
<BaseUrlContextProvider baseUrls={baseUrls}>
<FrontendConfigContextProvider config={frontendConfig}>
<StoreProvider>
<ApplicationLoader>
<DarkMode />
<MotdModal />
<UiNotificationBoundary>
<div className={'d-flex flex-column vh-100'}>
{appBar}
{children}
</div>
</UiNotificationBoundary>
</ApplicationLoader>
</StoreProvider>
</FrontendConfigContextProvider>
</BaseUrlContextProvider>
<ExpectedOriginBoundary expectedOrigin={baseUrls.editor}>
<BaseUrlContextProvider baseUrls={baseUrls}>
<FrontendConfigContextProvider config={frontendConfig}>
<StoreProvider>
<ApplicationLoader>
<DarkMode />
<MotdModal />
<UiNotificationBoundary>
<div className={'d-flex flex-column vh-100'}>
{appBar}
{children}
</div>
</UiNotificationBoundary>
</ApplicationLoader>
</StoreProvider>
</FrontendConfigContextProvider>
</BaseUrlContextProvider>
</ExpectedOriginBoundary>
</body>
</html>
)
}
export const dynamic = 'force-dynamic'
export const metadata: Metadata = {
themeColor: '#b51f08',
applicationName: 'HedgeDoc',

View file

@ -7,6 +7,7 @@ import '../../../global-styles/index.scss'
import { ApplicationLoader } from '../../components/application-loader/application-loader'
import { BaseUrlContextProvider } from '../../components/common/base-url/base-url-context-provider'
import { FrontendConfigContextProvider } from '../../components/common/frontend-config-context/frontend-config-context-provider'
import { ExpectedOriginBoundary } from '../../components/layout/expected-origin-boundary'
import { StoreProvider } from '../../redux/store-provider'
import { baseUrlFromEnvExtractor } from '../../utils/base-url-from-env-extractor'
import React from 'react'
@ -19,16 +20,16 @@ export default async function RootLayout({ children }: { children: React.ReactNo
return (
<html lang='en'>
<body>
<BaseUrlContextProvider baseUrls={baseUrls}>
<FrontendConfigContextProvider config={frontendConfig}>
<StoreProvider>
<ApplicationLoader>{children}</ApplicationLoader>
</StoreProvider>
</FrontendConfigContextProvider>
</BaseUrlContextProvider>
<ExpectedOriginBoundary expectedOrigin={baseUrls.renderer}>
<BaseUrlContextProvider baseUrls={baseUrls}>
<FrontendConfigContextProvider config={frontendConfig}>
<StoreProvider>
<ApplicationLoader>{children}</ApplicationLoader>
</StoreProvider>
</FrontendConfigContextProvider>
</BaseUrlContextProvider>
</ExpectedOriginBoundary>
</body>
</html>
)
}
export const dynamic = 'force-dynamic'

View file

@ -0,0 +1,44 @@
/*
* SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
*
* SPDX-License-Identifier: AGPL-3.0-only
*/
import { headers } from 'next/headers'
import type { PropsWithChildren } from 'react'
import React from 'react'
export interface ExpectedOriginBoundaryProps extends PropsWithChildren {
expectedOrigin: string
}
/**
* Determines the host and protocol of the current request by checking the host or x-forwarded-host header.
*
* @return the calculated request origin or {@code undefined} if no host header has been found
*/
export const buildOriginFromHeaders = (): string | undefined => {
const currentHeader = headers()
const host = currentHeader.get('x-forwarded-host') ?? currentHeader.get('host')
if (host === null) {
return undefined
}
const protocol = currentHeader.get('x-forwarded-proto')?.split(',')[0] ?? 'http'
return `${protocol}://${host}`
}
/**
* This boundary lets the given children pass if the current request origin is matching the expected origin for this route.
* Otherwise, an error message is shown instead.
*
* @param children the children to show if the origin passes
* @param expectedOrigin The origin that should match the request's origin
*/
export const ExpectedOriginBoundary: React.FC<ExpectedOriginBoundaryProps> = ({ children, expectedOrigin }) => {
const currentOrigin = buildOriginFromHeaders()
if (new URL(expectedOrigin).origin !== currentOrigin) {
return <span>{`You can't open this page using this URL. For this endpoint "${expectedOrigin}" is expected.`}</span>
}
return children
}

View file

@ -1,59 +0,0 @@
/*
* SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
*
* SPDX-License-Identifier: AGPL-3.0-only
*/
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
import { baseUrlFromEnvExtractor } from './utils/base-url-from-env-extractor'
/**
* Next.js middleware that checks if the expected and the current origin align.
*
* @param request The current request to check
*/
export function middleware(request: NextRequest) {
const currentOrigin = determineOriginFromHeaders(request.headers)
const expectedOrigin = determineExpectedOrigin(request)
if (currentOrigin === expectedOrigin) {
return
}
return new NextResponse(
`You can't open this page using this URL. For this endpoint "${expectedOrigin}" is expected.`,
{
status: 400,
headers: { 'content-type': 'text/plain' }
}
)
}
/**
* Determines the host and protocol of the current request by checking the host or x-forwarded-host header.
*
* @param headers The request headers provided by Next.js
*/
const determineOriginFromHeaders = (headers: Headers): string | undefined => {
const host = headers.get('x-forwarded-host') ?? headers.get('host')
if (host === null) {
return undefined
}
const protocol = headers.get('x-forwarded-proto')?.split(',')[0] ?? 'http'
return `${protocol}://${host}`
}
/**
* Uses the current route to determine the expected origin.
*
* @param request The current request
*/
const determineExpectedOrigin = (request: NextRequest): string => {
return new URL(
request.nextUrl.pathname === '/render'
? baseUrlFromEnvExtractor.extractBaseUrls().renderer
: baseUrlFromEnvExtractor.extractBaseUrls().editor
).origin
}