diff --git a/.env b/.env index 81145b563d..9df5864bd0 100644 --- a/.env +++ b/.env @@ -4,7 +4,7 @@ _APP_WORKER_PER_CORE=6 _APP_CONSOLE_WHITELIST_ROOT=disabled _APP_CONSOLE_WHITELIST_EMAILS= _APP_CONSOLE_WHITELIST_IPS= -_APP_CONSOLE_HOSTNAMES= +_APP_CONSOLE_HOSTNAMES=localhost,appwrite.io,*.appwrite.io _APP_SYSTEM_EMAIL_NAME=Appwrite _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io diff --git a/app/config/variables.php b/app/config/variables.php index a88145601d..69eca57533 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -127,7 +127,7 @@ return [ [ 'name' => '_APP_CONSOLE_HOSTNAMES', 'description' => 'This option allows you to add additional hostnames to your Appwrite console. This option is very useful for allowing access to the console project from additional domains. To enable it, pass a list of allowed hostnames separated by a comma.', - 'introduction' => '', + 'introduction' => '1.5.0', 'default' => '', 'required' => false, 'question' => '', diff --git a/app/init.php b/app/init.php index ccd7b96573..1bc362fdc2 100644 --- a/app/init.php +++ b/app/init.php @@ -80,6 +80,7 @@ use Utopia\Queue\Connection; use Utopia\Storage\Storage; use Utopia\VCS\Adapter\Git\GitHub as VcsGitHub; use Utopia\Validator\Range; +use Utopia\Validator\Hostname; use Utopia\Validator\IP; use Utopia\Validator\URL; use Utopia\Validator\WhiteList; @@ -947,15 +948,18 @@ App::setResource('clients', function ($request, $console, $project) { ], Document::SET_TYPE_APPEND); $hostnames = explode(',', App::getEnv('_APP_CONSOLE_HOSTNAMES', '')); - if (is_array($hostnames)) { - foreach ($hostnames as $hostname) { - $console->setAttribute('platforms', [ - '$collection' => ID::custom('platforms'), - 'type' => Origin::CLIENT_TYPE_WEB, - 'name' => $hostname, - 'hostname' => $hostname, - ], Document::SET_TYPE_APPEND); + $validator = new Hostname(); + foreach ($hostnames as $hostname) { + $hostname = trim($hostname); + if (!$validator->isValid($hostname)) { + continue; } + $console->setAttribute('platforms', [ + '$collection' => ID::custom('platforms'), + 'type' => Origin::CLIENT_TYPE_WEB, + 'name' => $hostname, + 'hostname' => $hostname, + ], Document::SET_TYPE_APPEND); } /** diff --git a/tests/e2e/General/HTTPTest.php b/tests/e2e/General/HTTPTest.php index f83f28c26d..bf8f6de279 100644 --- a/tests/e2e/General/HTTPTest.php +++ b/tests/e2e/General/HTTPTest.php @@ -171,4 +171,50 @@ class HTTPTest extends Scope $this->assertEquals(200, $response['headers']['status-code']); } + + public function testCors() + { + /** + * Test for SUCCESS + */ + + $endpoint = '/v1/projects'; // Can be any non-404 route + + $response = $this->client->call(Client::METHOD_GET, $endpoint); + + $this->assertEquals('http://localhost', $response['headers']['access-control-allow-origin']); + + $response = $this->client->call(Client::METHOD_GET, $endpoint, [ + 'origin' => 'http://localhost', + ]); + + $this->assertEquals('http://localhost', $response['headers']['access-control-allow-origin']); + + $response = $this->client->call(Client::METHOD_GET, $endpoint, [ + 'origin' => 'http://appwrite.io', + ]); + + $this->assertEquals('http://appwrite.io', $response['headers']['access-control-allow-origin']); + + $response = $this->client->call(Client::METHOD_GET, $endpoint, [ + 'origin' => 'https://appwrite.io', + ]); + + $this->assertEquals('https://appwrite.io', $response['headers']['access-control-allow-origin']); + + $response = $this->client->call(Client::METHOD_GET, $endpoint, [ + 'origin' => 'http://cloud.appwrite.io', + ]); + + $this->assertEquals('http://cloud.appwrite.io', $response['headers']['access-control-allow-origin']); + + /** + * Test for FAILURE + */ + $response = $this->client->call(Client::METHOD_GET, $endpoint, [ + 'origin' => 'http://google.com', + ]); + + $this->assertEquals('http://localhost', $response['headers']['access-control-allow-origin']); + } }