Merge pull request #1850 from atmire/use-x-forwarded-for-redirect

Use values from x-forwarded headers in getOrigin server side

server.ts

@@ -76,6 +76,10 @@ export function app() {
    */
   const server = express();
 
+  // Tell Express to trust X-FORWARDED-* headers from proxies
+  // See https://expressjs.com/en/guide/behind-proxies.html
+  server.set('trust proxy', environment.ui.useProxies);
+
   /*
    * If production mode is enabled in the environment file:
    * - Enable Angular's production mode

src/app/core/services/browser-hard-redirect.service.spec.ts

@@ -2,17 +2,25 @@ import { TestBed } from '@angular/core/testing';
 import { BrowserHardRedirectService } from './browser-hard-redirect.service';
 
 describe('BrowserHardRedirectService', () => {
-  const origin = 'https://test-host.com:4000';
-  const mockLocation = {
+  let origin: string;
+  let mockLocation: Location;
+  let service: BrowserHardRedirectService;
+
+  beforeEach(() => {
+    origin = 'https://test-host.com:4000';
+    mockLocation = {
       href: undefined,
       pathname: '/pathname',
       search: '/search',
-    origin
+      origin,
+      replace: (url: string) => {
+        mockLocation.href = url;
+      }
     } as Location;
+    spyOn(mockLocation, 'replace');
 
-  const service: BrowserHardRedirectService = new BrowserHardRedirectService(mockLocation);
+    service = new BrowserHardRedirectService(mockLocation);
 
-  beforeEach(() => {
     TestBed.configureTestingModule({});
   });
 
@@ -28,8 +36,8 @@ describe('BrowserHardRedirectService', () => {
       service.redirect(redirect);
     });
 
-    it('should update the location', () => {
-      expect(mockLocation.href).toEqual(redirect);
+    it('should call location.replace with the new url', () => {
+      expect(mockLocation.replace).toHaveBeenCalledWith(redirect);
     });
   });
 

src/app/core/services/browser-hard-redirect.service.ts

@@ -24,7 +24,7 @@ export class BrowserHardRedirectService extends HardRedirectService {
    * @param url
    */
   redirect(url: string) {
-    this.location.href = url;
+    this.location.replace(url);
   }
 
   /**

src/config/config.util.spec.ts

@@ -10,6 +10,7 @@ describe('Config Util', () => {
       expect(appConfig.cache.msToLive.default).toEqual(15 * 60 * 1000); // 15 minute
       expect(appConfig.ui.rateLimiter.windowMs).toEqual(1 * 60 * 1000); // 1 minute
       expect(appConfig.ui.rateLimiter.max).toEqual(500);
+      expect(appConfig.ui.useProxies).toEqual(true);
 
       expect(appConfig.submission.autosave.metadata).toEqual([]);
 
@@ -25,6 +26,8 @@ describe('Config Util', () => {
       };
       appConfig.ui.rateLimiter = rateLimiter;
 
+      appConfig.ui.useProxies = false;
+
       const autoSaveMetadata = [
         'dc.author',
         'dc.title'
@@ -44,6 +47,7 @@ describe('Config Util', () => {
       expect(environment.cache.msToLive.default).toEqual(msToLive);
       expect(environment.ui.rateLimiter.windowMs).toEqual(rateLimiter.windowMs);
       expect(environment.ui.rateLimiter.max).toEqual(rateLimiter.max);
+      expect(environment.ui.useProxies).toEqual(false);
       expect(environment.submission.autosave.metadata[0]).toEqual(autoSaveMetadata[0]);
       expect(environment.submission.autosave.metadata[1]).toEqual(autoSaveMetadata[1]);
 

src/config/default-app-config.ts

@@ -39,7 +39,10 @@ export class DefaultAppConfig implements AppConfig {
     rateLimiter: {
       windowMs: 1 * 60 * 1000, // 1 minute
       max: 500 // limit each IP to 500 requests per windowMs
-    }
+    },
+
+    // Trust X-FORWARDED-* headers from proxies
+    useProxies: true,
   };
 
   // The REST API server settings

src/config/ui-server-config.interface.ts

@@ -11,4 +11,6 @@ export class UIServerConfig extends ServerConfig {
     max: number;
   };
 
+  // Trust X-FORWARDED-* headers from proxies
+  useProxies: boolean;
 }

src/environments/environment.test.ts

@@ -25,7 +25,8 @@ export const environment: BuildConfig = {
     rateLimiter: {
       windowMs: 1 * 60 * 1000, // 1 minute
       max: 500 // limit each IP to 500 requests per windowMs
-    }
+    },
+    useProxies: true,
   },
 
   // The REST API server settings.