fixup! feat: Add api-login domain to connect-src directive

Author: zatteo

web/middlewares/domain_utils.go

@@ -0,0 +1,9 @@
+package middlewares
+
+import (
+	"strings"
+)
+
+func parseDomainForApiLogin(domain string) (string, string, bool) {
+	return strings.Cut(domain, ".")
+}

web/middlewares/domain_utils_test.go

@@ -0,0 +1,68 @@
+package middlewares
+
+import (
+	"testing"
+)
+
+// TestParseDomainForApiLogin tests the parseDomainForApiLogin function
+// which is a simple wrapper around strings.Cut.
+func TestParseDomainForApiLogin(t *testing.T) {
+	tests := []struct {
+		name           string
+		input          string
+		expectedBefore string
+		expectedAfter  string
+		expectedFound  bool
+	}{
+		{
+			name:           "domain with multiple parts",
+			input:          "alice.cozy.example.com",
+			expectedBefore: "alice",
+			expectedAfter:  "cozy.example.com",
+			expectedFound:  true,
+		},
+		{
+			name:           "domain with exactly 2 parts",
+			input:          "cozy.example.com",
+			expectedBefore: "cozy",
+			expectedAfter:  "example.com",
+			expectedFound:  true,
+		},
+		{
+			name:           "domain with exactly 1 part",
+			input:          "localhost",
+			expectedBefore: "localhost",
+			expectedAfter:  "",
+			expectedFound:  false,
+		},
+		{
+			name:           "empty domain",
+			input:          "",
+			expectedBefore: "",
+			expectedAfter:  "",
+			expectedFound:  false,
+		},
+		{
+			name:           "domain with special characters",
+			input:          "user-123.cozy.example.com",
+			expectedBefore: "user-123",
+			expectedAfter:  "cozy.example.com",
+			expectedFound:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			before, after, found := parseDomainForApiLogin(tt.input)
+			if before != tt.expectedBefore {
+				t.Errorf("parseDomainForApiLogin(%q) before = %q, want %q", tt.input, before, tt.expectedBefore)
+			}
+			if after != tt.expectedAfter {
+				t.Errorf("parseDomainForApiLogin(%q) after = %q, want %q", tt.input, after, tt.expectedAfter)
+			}
+			if found != tt.expectedFound {
+				t.Errorf("parseDomainForApiLogin(%q) found = %t, want %t", tt.input, found, tt.expectedFound)
+			}
+		})
+	}
+}

web/middlewares/secure.go

@@ -307,11 +307,9 @@ func (b cspBuilder) makeCSPHeader(header, cspAllowList string, sources []CSPSour
 	}
 	// Add api-login.{org_id}.{domain without prefix} to connect-src directive if present
 	if header == "connect-src" && b.instance != nil && b.instance.OrgID != "" {
-		if parts := strings.Split(b.instance.Domain, "."); len(parts) >= 3 {
-			domainWithoutPrefix := strings.Join(parts[1:], ".")
-			headers = append(headers, "api-login-"+b.instance.OrgID+"."+domainWithoutPrefix)
-		} else {
-			headers = append(headers, "api-login-"+b.instance.OrgID+"."+b.instance.Domain)
+		_, domain, found := parseDomainForApiLogin(b.instance.Domain)
+		if found {
+			headers = append(headers, "api-login-"+b.instance.OrgID+"."+domain)
 		}
 	}
 	if len(headers) == 0 {

web/middlewares/secure_test.go

@@ -202,112 +202,4 @@ func TestSecure(t *testing.T) {
 			}
 		}
 	})
-
-	t.Run("SecureMiddlewareCSPWithOrgDomainAPILogin", func(t *testing.T) {
-		// Test case 1: Domain with 3+ parts (alice.twake.app)
-		// Should strip the first part and use "twake.app"
-		e1 := echo.New()
-		req1, _ := http.NewRequest(echo.GET, "http://alice.twake.app/", nil)
-		rec1 := httptest.NewRecorder()
-		c1 := e1.NewContext(req1, rec1)
-		inst1 := &instance.Instance{
-			Domain:    "alice.twake.app",
-			OrgDomain: "example.com",
-			OrgID:     "org123",
-		}
-		c1.Set("instance", inst1)
-		h1 := Secure(&SecureConfig{
-			CSPConnectSrc: []CSPSource{CSPSrcSelf},
-		})(echo.NotFoundHandler)
-		_ = h1(c1)
-
-		csp1 := rec1.Header().Get(echo.HeaderContentSecurityPolicy)
-
-		// Should contain api-login-org123.twake.app (domain without alice prefix)
-		assert.Contains(t, csp1, "api-login-org123.twake.app",
-			"connect-src should contain api-login-org123.twake.app for domain with 3+ parts. CSP: %s", csp1)
-
-		connectSrcIndex := strings.Index(csp1, "connect-src ")
-		assert.NotEqual(t, -1, connectSrcIndex,
-			"connect-src should be present in CSP. Full CSP: %s", csp1)
-
-		connectSrcEnd := strings.Index(csp1[connectSrcIndex:], ";")
-		assert.NotEqual(t, -1, connectSrcEnd,
-			"connect-src should end with semicolon")
-
-		connectSrcContent := csp1[connectSrcIndex : connectSrcIndex+connectSrcEnd]
-		assert.Contains(t, connectSrcContent, "api-login-org123.twake.app",
-			"connect-src should contain api-login-org123.twake.app. Found: %s", connectSrcContent)
-
-		// Test case 2: Domain with fewer than 3 parts (cozy.local)
-		// Should use the domain as-is
-		e2 := echo.New()
-		req2, _ := http.NewRequest(echo.GET, "http://cozy.local/", nil)
-		rec2 := httptest.NewRecorder()
-		c2 := e2.NewContext(req2, rec2)
-		inst2 := &instance.Instance{
-			Domain:    "cozy.local",
-			OrgDomain: "example.com",
-			OrgID:     "org456",
-		}
-		c2.Set("instance", inst2)
-		h2 := Secure(&SecureConfig{
-			CSPConnectSrc: []CSPSource{CSPSrcSelf},
-		})(echo.NotFoundHandler)
-		_ = h2(c2)
-
-		csp2 := rec2.Header().Get(echo.HeaderContentSecurityPolicy)
-
-		// Should contain api-login-org456.cozy.local (full domain used)
-		assert.Contains(t, csp2, "api-login-org456.cozy.local",
-			"connect-src should contain api-login-org456.cozy.local for domain with <3 parts. CSP: %s", csp2)
-
-		connectSrcIndex2 := strings.Index(csp2, "connect-src ")
-		assert.NotEqual(t, -1, connectSrcIndex2,
-			"connect-src should be present in CSP. Full CSP: %s", csp2)
-
-		connectSrcEnd2 := strings.Index(csp2[connectSrcIndex2:], ";")
-		assert.NotEqual(t, -1, connectSrcEnd2,
-			"connect-src should end with semicolon")
-
-		connectSrcContent2 := csp2[connectSrcIndex2 : connectSrcIndex2+connectSrcEnd2]
-		assert.Contains(t, connectSrcContent2, "api-login-org456.cozy.local",
-			"connect-src should contain api-login-org456.cozy.local. Found: %s", connectSrcContent2)
-
-		// Test case 3: Domain with 4 parts (bob.acme.twake.app)
-		// Should strip only the first part and use "acme.twake.app"
-		e3 := echo.New()
-		req3, _ := http.NewRequest(echo.GET, "http://bob.acme.twake.app/", nil)
-		rec3 := httptest.NewRecorder()
-		c3 := e3.NewContext(req3, rec3)
-		inst3 := &instance.Instance{
-			Domain:    "bob.acme.twake.app",
-			OrgDomain: "example.org",
-			OrgID:     "org789",
-		}
-		c3.Set("instance", inst3)
-		h3 := Secure(&SecureConfig{
-			CSPConnectSrc: []CSPSource{CSPSrcSelf},
-		})(echo.NotFoundHandler)
-		_ = h3(c3)
-
-		csp3 := rec3.Header().Get(echo.HeaderContentSecurityPolicy)
-
-		// Should contain api-login-org789.acme.twake.app (domain without bob prefix)
-		assert.Contains(t, csp3, "api-login-org789.acme.twake.app",
-			"connect-src should contain api-login-org789.acme.twake.app for domain with 4 parts. CSP: %s", csp3)
-
-		// Verify it's in connect-src directive
-		connectSrcIndex3 := strings.Index(csp3, "connect-src ")
-		assert.NotEqual(t, -1, connectSrcIndex3,
-			"connect-src should be present in CSP. Full CSP: %s", csp3)
-
-		connectSrcEnd3 := strings.Index(csp3[connectSrcIndex3:], ";")
-		assert.NotEqual(t, -1, connectSrcEnd3,
-			"connect-src should end with semicolon")
-
-		connectSrcContent3 := csp3[connectSrcIndex3 : connectSrcIndex3+connectSrcEnd3]
-		assert.Contains(t, connectSrcContent3, "api-login-org789.acme.twake.app",
-			"connect-src should contain api-login-org789.acme.twake.app. Found: %s", connectSrcContent3)
-	})
 }