Merge pull request #2165 from NYPL/NOREF-disallow-internal-hostname

Add fix to fix use of discovery.nypl.org in redirect_uri
NYPL · Nov 7, 2024 · b29a083 · b29a083
2 parents 88eb06c + c967489
commit b29a083
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -96,7 +96,7 @@ jobs:
           aws ecs update-service --cluster discovery-ui-edd --service discovery-ui-edd --force-new-deployment
   publish_production:
     # needs: test
-    if: github.ref == 'refs/heads/TGR-50/remediation-update'
+    if: github.ref == 'refs/heads/production'
     name: Publish image to ECR and update ECS stack
     runs-on: ubuntu-latest
     permissions:

diff --git a/src/server/ApiRoutes/User.js b/src/server/ApiRoutes/User.js
@@ -9,7 +9,9 @@ function requireUser(req, res) {
     const originalUrl = req.originalUrl.replace(new RegExp(`^${appConfig.baseUrl}/api/`), `${appConfig.baseUrl}/`)
     // TODO: Express 4.x strips the port from req.hostname, inconveniencing
     // local development. May cautiously retrieve it from headers or local config
-    const fullUrl = encodeURIComponent(`${req.protocol}://${req.hostname}${originalUrl}`);
+    const fullUrl = encodeURIComponent(`${req.protocol}://${req.hostname}${originalUrl}`)
+      // Don't allow internal hostname ([qa-]discovery.nypl.org) to be used in redirect:
+      .replace('discovery.nypl.org', 'www.nypl.org');
     redirect = `${appConfig.loginUrl}?redirect_uri=${fullUrl}`;
     if (!req.originalUrl.includes('/api/')) {
       res.redirect(redirect);