remove the origin check logic

iQQBot · iQQBot · commit 10b52a6a279e · 2025-07-30T14:01:11.000Z
diff --git a/components/server/src/auth/authenticator.ts b/components/server/src/auth/authenticator.ts
@@ -189,18 +189,6 @@ export class Authenticator {
                         res.status(403).send("Authentication failed");
                         return;
                     }
-
-                    // Validate origin for additional CSRF protection
-                    if (!this.nonceService.validateOrigin(req, host)) {
-                        log.error(`CSRF protection: Origin validation failed`, {
-                            url: req.url,
-                            origin: req.get("Origin"),
-                            referer: req.get("Referer"),
-                            expectedHost: host,
-                        });
-                        res.status(403).send("Invalid request");
-                        return;
-                    }
                 }
 
                 // Always clear the nonce cookie
diff --git a/components/server/src/auth/nonce-service.spec.ts b/components/server/src/auth/nonce-service.spec.ts
@@ -6,7 +6,6 @@
 
 import { expect } from "chai";
 import { Container } from "inversify";
-import express from "express";
 import { Config } from "../config";
 import { NonceService } from "./nonce-service";
 
@@ -65,76 +64,4 @@ describe("NonceService", () => {
             expect(nonceService.validateNonce(undefined, undefined)).to.be.false;
         });
     });
-
-    describe("validateOrigin", () => {
-        it("should accept requests from expected SCM provider origin", () => {
-            const req = {
-                get: (header: string) => {
-                    if (header === "Origin") return "https://github.com";
-                    return undefined;
-                },
-            } as Partial<express.Request> as express.Request;
-
-            const isValid = nonceService.validateOrigin(req, "github.com");
-            expect(isValid).to.be.true;
-        });
-
-        it("should reject requests from different origin", () => {
-            const req = {
-                get: (header: string) => {
-                    if (header === "Origin") return "https://evil.com";
-                    return undefined;
-                },
-            } as Partial<express.Request> as express.Request;
-
-            const isValid = nonceService.validateOrigin(req, "github.com");
-            expect(isValid).to.be.false;
-        });
-
-        it("should reject requests without origin or referer", () => {
-            const req = {
-                get: () => undefined,
-            } as Partial<express.Request> as express.Request;
-
-            const isValid = nonceService.validateOrigin(req, "github.com");
-            expect(isValid).to.be.false;
-        });
-
-        it("should accept requests with valid referer from expected host", () => {
-            const req = {
-                get: (header: string) => {
-                    if (header === "Referer") return "https://gitlab.com/oauth/authorize";
-                    return undefined;
-                },
-            } as Partial<express.Request> as express.Request;
-
-            const isValid = nonceService.validateOrigin(req, "gitlab.com");
-            expect(isValid).to.be.true;
-        });
-
-        it("should work with different SCM providers", () => {
-            const testCases = [
-                { origin: "https://github.com", expectedHost: "github.com", shouldPass: true },
-                { origin: "https://gitlab.com", expectedHost: "gitlab.com", shouldPass: true },
-                { origin: "https://bitbucket.org", expectedHost: "bitbucket.org", shouldPass: true },
-                { origin: "https://github.com", expectedHost: "gitlab.com", shouldPass: false },
-                { origin: "https://evil.com", expectedHost: "github.com", shouldPass: false },
-            ];
-
-            testCases.forEach(({ origin, expectedHost, shouldPass }) => {
-                const req = {
-                    get: (header: string) => {
-                        if (header === "Origin") return origin;
-                        return undefined;
-                    },
-                } as Partial<express.Request> as express.Request;
-
-                const isValid = nonceService.validateOrigin(req, expectedHost);
-                expect(isValid).to.equal(
-                    shouldPass,
-                    `${origin} vs ${expectedHost} should ${shouldPass ? "pass" : "fail"}`,
-                );
-            });
-        });
-    });
 });
diff --git a/components/server/src/auth/nonce-service.ts b/components/server/src/auth/nonce-service.ts
@@ -77,32 +77,4 @@ export class NonceService {
 
         return crypto.timingSafeEqual(stateBuffer, cookieBuffer);
     }
-
-    /**
-     * Validates that the request origin is from the expected SCM provider domain
-     */
-    validateOrigin(req: express.Request, expectedHost: string): boolean {
-        const origin = req.get("Origin");
-        const referer = req.get("Referer");
-
-        // For OAuth callbacks, we expect either Origin or Referer header
-        const requestSource = origin || referer;
-
-        if (!requestSource) {
-            // No origin/referer header - this could be a direct navigation or CSRF attack
-            return false;
-        }
-
-        try {
-            const sourceUrl = new URL(requestSource);
-
-            // Validate that the request comes from the expected SCM provider host
-            // expectedHost could be "github.com", "gitlab.com", etc.
-            const expectedOrigin = `https://${expectedHost}`;
-            return sourceUrl.origin === expectedOrigin;
-        } catch (error) {
-            // Invalid URL format
-            return false;
-        }
-    }
 }
