Add config options 'domain' #871
Conversation
|
PR for #847 This has one problem though: It breaks livereload in its current implementation. The problem is that the port of the server has to be appended to the new config option, so the value is for example Omitting the port would break the URLs generated by the backend such as the passwort reset link. I also thought about just using On possibility would be to use |
|
This works for the Livereload: ...then it doesn't matter if the thing is served at localhost, docker, staging... JS always picks up the current domain from the address bar. |
|
Jup, that should work. Hmm... is the content of |
| */ | ||
| var validateDomainIsSet = function (config) { | ||
| if(!config.app.domain){ | ||
| console.error(chalk.red('+ Important warning: config.domain is empty. To prevent HTTP Host header attacks please set config.domain.')); |
There was a problem hiding this comment.
To be consistent, I don't think this should be console.error, just console.log.
There was a problem hiding this comment.
Right.
@Koblaid I also don't think we need to be completely verbose with the specific security attacks but just mention that for security reasons the domain should be explicitly
|
What about: If a domain isn't set in the config, just default to req.hostname? |
|
Alright, I just pushed some changes. The domain is now retrieved via AFAICS the remaining issue is the hard-coded port in development.js. Omitting the port in So we could:
|
| @@ -56,7 +56,9 @@ | |||
|
|
|||
| {% if livereload %} | |||
| <!--Livereload script rendered --> | |||
| <script type="text/javascript" src="{{host}}:35729/livereload.js"></script> | |||
| <script type="text/javascript"> | |||
| document.write('\x3Cscript type="text/javascript" src="//' + window.location.hostname + ':35729/livereload.js">\x3C/script>'); | |||
There was a problem hiding this comment.
what's the reason for doing it like this? is that in order to take the "real" hostname from the URL rather than the config variable? If so, isn't there a cleaner way of doing it instead of document.write?
There was a problem hiding this comment.
Hehe, I didn't really like the code either, but was too lazy to really check it. Would this be better?
var scriptTag = document.createElement('script');
scriptTag.setAttribute('type', 'text/javascript');
scriptTag.setAttribute('src','//' + window.location.hostname + ':35729/livereload.js');
document.head.appendChild(scriptTag);
There was a problem hiding this comment.
Yes, that's much better if we actually need to change it like that.
There was a problem hiding this comment.
is that in order to take the "real" hostname from the URL rather than the config variable?
Yep. If testing/doing development behind proxy (e.g. Nginx) setup inside Vagrant/Docker, livereload would not work.
There was a problem hiding this comment.
Can we get this line changed to be better?
There was a problem hiding this comment.
Yep.
@Koblaid we're still waiting for you to change that line to your recommendation at https://github.com/meanjs/mean/pull/871/files#r39917678
|
@Koblaid about the port number issue, we already have a port number config option, can't we use it? for example: or will that not solve the issue? |
|
This works on localhost but it will break if the app is running for example on Heroku. Heroku sets the PORT environment variable to some arbitary port, while the app is reachable with port 80 from the outside. |
|
@Koblaid that's true also for any proxy configuration, say Nginx/Phusion Passenger. |
|
@Koblaid see my latest comment for this PR: #871 (comment) |
|
@lirantal Oh, sorry, at first I didn't know that you were still waiting for an answer and than I was busy ;-) Well, I don't know how it could work out of the box without hard-coding the domain in development mode. (By the way: the default port is also hard-coded in We could drop the Or we could separate the default port in
Than the first one could be used to start up the server and the second one could be used to dynamically generate the domain. But I think that would only make things more complicated. |
|
@Koblaid see my latest comments on the code section to finalize this PR. |
|
Alright, I hope its ok now. The livereload-tag is now generated as proposed, and the domain-config in development.js and test.js is set to a default value but overwritable by the environment variable. I wasn't sure about including the port into the default value for the domain-config in develepment.js and test.js. Should I remove it? I think it's necessary for URLs generated from the config to be correct. But I can still remove it if you like. |
| @@ -22,7 +22,8 @@ module.exports = { | |||
| } | |||
| }, | |||
| app: { | |||
| title: defaultEnvConfig.app.title + ' - Development Environment' | |||
| title: defaultEnvConfig.app.title + ' - Development Environment', | |||
| domain: process.env.DOMAIN || 'localhost:3000' | |||
There was a problem hiding this comment.
you can do here:
domain: process.env.DOMAIN || 'localhost:' + defaultEnvConfig.port;I think it's better because this way you don't hard code the port number.
|
Still needs to be rebased before we can even consider merging it. |
|
@Koblaid see my latest comments about the port and:
can you think of adding some test to check the domain configuration works or this is just plain config option that has no point in testing? |
The value will be used when the backend has to generate urls which point to the app. Using the hostname sent in the HTTP header is dangerous since an attacker could send a request with a spoofed HTTP header (HTTP Host header attack). If the config is not set a loud warning is printed on startup and the hostname of the HTTP header is used nevertheless.
barbogast
force-pushed
the
dont-use-host-from-http-header
branch
from
4c53837 to
987dfd0
Compare
|
|
@Koblaid can you add any meaningful tests? |
|
Hmm... I didn't see any existing tests for the configuration. Are there any? If not, what kind of tests do you have in mind? Checking if the configuration is correctly created for the different modes? Or that the created configuration acutally works for the different setups (with proxy, without proxy, ...)? Anyway, I think creating a test infrastructure for the configuration should be a separate issue/PR. |
|
@Koblaid tests always come with the implementation, that way we don't forget about them. Add whatever tests you see as meaningful and we'll go from there. |
|
@Koblaid We've defined configuration tests here. Perhaps a test could be written that is similar to some of these? |
|
@Koblaid Any update on this? |
|
I think it makes sense to move this to the 0.5.0 Milestone since there hasn't been any movement on this for over a week. Also, it seems that the Token Auth implementation might revolve around the domain/host options. We might just want to address this once we have a better idea on what Token Auth changes on the server-side. |
|
I second @mleanos that we should push this back. |
|
Sure let's move to 0.5.0 so it doesn't block anything (I don't see how it's related to the token auth though) |
|
@Koblaid would you like to make the changes required here to accommodate for the livereload update? |
|
#1101 was merged in. What's left to do on this PR? |
|
@codydaig let's close it for now. |
Generic DOMAI configuration environment variable, useful for setting links to an app in reset email templates, and other cases. Fixes meanjs#871 and meanjs#847
The value will be used when the backend has to generate urls which
point to the app. Using the hostname sent in the HTTP header is
dangerous since an attacker could send a request with a spoofed
HTTP header (HTTP Host header attack).
If the config is not set a loud warning is printed on startup and
the hostname of the HTTP header is used nevertheless.