fix: update resource server validation to use allowedExternalUrls

brionmario · brionmario · commit f3357bba0d8b · 2025-12-02T14:30:11.000+05:30
diff --git a/packages/browser/src/__legacy__/helpers/authentication-helper.ts b/packages/browser/src/__legacy__/helpers/authentication-helper.ts
@@ -29,6 +29,7 @@ import {
   OIDCEndpoints,
   TokenResponse,
   extractPkceStorageKeyFromState,
+  Config,
 } from '@asgardeo/javascript';
 import {SPAHelper} from './spa-helper';
 import {
@@ -103,26 +104,26 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
     config: SPACustomGrantConfig,
     enableRetrievingSignOutURLFromSession?: (config: SPACustomGrantConfig) => void,
   ): Promise<User | Response> {
+    const _config: Config = (await this._storageManager.getConfigData()) as Config;
     let useDefaultEndpoint = true;
     let matches = false;
 
     // If the config does not contains a token endpoint, default token endpoint will be used.
     if (config?.tokenEndpoint) {
       useDefaultEndpoint = false;
 
-      for (const baseUrl of [
-        ...((await this._storageManager.getConfigData())?.resourceServerURLs ?? []),
-        (config as any).baseUrl,
-      ]) {
+      for (const baseUrl of [...(_config?.allowedExternalUrls ?? []), (config as any).baseUrl]) {
         if (baseUrl && config.tokenEndpoint?.startsWith(baseUrl)) {
           matches = true;
           break;
         }
       }
     }
+
     if (config.shouldReplayAfterRefresh) {
       this._storageManager.setTemporaryDataParameter(CUSTOM_GRANT_CONFIG, JSON.stringify(config));
     }
+
     if (useDefaultEndpoint || matches) {
       return this._authenticationClient
         .exchangeToken(config)
@@ -147,9 +148,9 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
         new AsgardeoAuthException(
           'SPA-MAIN_THREAD_CLIENT-RCG-IV01',
           'Request to the provided endpoint is prohibited.',
-          'Requests can only be sent to resource servers specified by the `resourceServerURLs`' +
+          'Requests can only be sent to resource servers specified by the `allowedExternalUrls`' +
             ' attribute while initializing the SDK. The specified token endpoint in this request ' +
-            'cannot be found among the `resourceServerURLs`',
+            'cannot be found among the `allowedExternalUrls`',
         ),
       );
     }
@@ -224,9 +225,9 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
     enableRetrievingSignOutURLFromSession?: (config: SPACustomGrantConfig) => void,
   ): Promise<HttpResponse> {
     let matches = false;
-    const config = await this._storageManager.getConfigData();
+    const config: Config = (await this._storageManager.getConfigData()) as Config;
 
-    for (const baseUrl of [...((await config?.resourceServerURLs) ?? []), (config as any).baseUrl]) {
+    for (const baseUrl of [...(config?.allowedExternalUrls ?? []), (config as any).baseUrl]) {
       if (baseUrl && requestConfig?.url?.startsWith(baseUrl)) {
         matches = true;
 
@@ -319,9 +320,9 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
         new AsgardeoAuthException(
           'SPA-AUTH_HELPER-HR-IV02',
           'Request to the provided endpoint is prohibited.',
-          'Requests can only be sent to resource servers specified by the `resourceServerURLs`' +
+          'Requests can only be sent to resource servers specified by the `allowedExternalUrls`' +
             ' attribute while initializing the SDK. The specified endpoint in this request ' +
-            'cannot be found among the `resourceServerURLs`',
+            'cannot be found among the `allowedExternalUrls`',
         ),
       );
     }
@@ -335,12 +336,12 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
     httpFinishCallback?: () => void,
   ): Promise<HttpResponse[] | undefined> {
     let matches = true;
-    const config = await this._storageManager.getConfigData();
+    const config: Config = (await this._storageManager.getConfigData()) as Config;
 
     for (const requestConfig of requestConfigs) {
       let urlMatches = false;
 
-      for (const baseUrl of [...((await config)?.resourceServerURLs ?? []), (config as any).baseUrl]) {
+      for (const baseUrl of [...(config?.allowedExternalUrls ?? []), (config as any).baseUrl]) {
         if (baseUrl && requestConfig.url?.startsWith(baseUrl)) {
           urlMatches = true;
 
@@ -436,9 +437,9 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
       throw new AsgardeoAuthException(
         'SPA-AUTH_HELPER-HRA-IV02',
         'Request to the provided endpoint is prohibited.',
-        'Requests can only be sent to resource servers specified by the `resourceServerURLs`' +
+        'Requests can only be sent to resource servers specified by the `allowedExternalUrls`' +
           ' attribute while initializing the SDK. The specified endpoint in this request ' +
-          'cannot be found among the `resourceServerURLs`',
+          'cannot be found among the `allowedExternalUrls`',
       );
     }
   }
diff --git a/packages/browser/src/__legacy__/models/client-config.ts b/packages/browser/src/__legacy__/models/client-config.ts
@@ -28,7 +28,7 @@ export interface SPAConfig {
   syncSession?: boolean;
   checkSessionInterval?: number;
   sessionRefreshInterval?: number;
-  resourceServerURLs?: string[];
+  allowedExternalUrls?: string[];
   authParams?: Record<string, string>;
   periodicTokenRefresh?: boolean;
   autoLogoutOnTokenRefreshError?: boolean;
diff --git a/packages/javascript/src/models/config.ts b/packages/javascript/src/models/config.ts
@@ -78,6 +78,24 @@ export interface BaseConfig<T = unknown> extends WithPreferences {
    */
   afterSignOutUrl?: string | undefined;
 
+  /**
+   * A list of external API base URLs that the SDK is allowed to attach access tokens to when making HTTP requests.
+   *
+   * When making authenticated HTTP requests using the SDK's HTTP client, the access token will only be attached
+   * to requests whose URLs start with one of these specified base URLs. This provides a security layer by
+   * preventing tokens from being sent to unauthorized servers.
+   *
+   * @remarks
+   * - This is only applicable when the storage type is `webWorker`.
+   * - Each URL should be a base URL without trailing slashes (e.g., "https://api.example.com").
+   * - The SDK will check if the request URL starts with any of these base URLs before attaching the token.
+   * - If a request is made to a URL that doesn't match any of these base URLs, an error will be thrown.
+   *
+   * @example
+   * allowedExternalUrls: ["https://api.example.com", "https://api.another-service.com"]
+   */
+  allowedExternalUrls?: string[];
+
   /**
    * Optional organization handle for the Organization in Asgardeo.
    * This is used to identify the organization in the Asgardeo identity server in cases like Branding, etc.
