feat(registry): add new proxy headers setting

stas-nc · stas-nc · commit 54f0163ec0c6 · 2026-03-19T13:44:07.000+02:00
diff --git a/registry/server/migrations/20260319000000_settings_proxyHeaders.ts b/registry/server/migrations/20260319000000_settings_proxyHeaders.ts
@@ -0,0 +1,19 @@
+import { Knex } from 'knex';
+import { Scope, SettingKeys, SettingTypes } from '../settings/interfaces';
+
+export async function up(knex: Knex): Promise<any> {
+    await knex('settings').insert({
+        key: SettingKeys.ProxyHeaders,
+        value: 'null',
+        default: 'null',
+        scope: Scope.Ilc,
+        secret: false,
+        meta: JSON.stringify({
+            type: SettingTypes.StringArray,
+        }),
+    });
+}
+
+export async function down(knex: Knex): Promise<any> {
+    await knex('settings').whereIn('key', [SettingKeys.ProxyHeaders]).delete();
+}
diff --git a/registry/server/settings/interfaces/index.ts b/registry/server/settings/interfaces/index.ts
@@ -27,6 +27,7 @@ export enum SettingKeys {
     CspConfig = 'cspConfig',
     CspTrustedLocalHosts = 'cspTrustedLocalHosts',
     CspEnableStrict = 'cspEnableStrict',
+    ProxyHeaders = 'proxyHeaders',
 }
 
 export const AllowedSettingKeysForDomains = [SettingKeys.CspConfig];
@@ -140,6 +141,10 @@ const valueSchema = Joi.alternatives().conditional('key', {
             ),
             then: Joi.array().items(Joi.string()),
         },
+        {
+            is: Joi.valid(SettingKeys.ProxyHeaders),
+            then: Joi.array().items(Joi.string()).allow(null),
+        },
         {
             is: Joi.valid(SettingKeys.BaseUrl, SettingKeys.AuthOpenIdDiscoveryUrl),
             then: Joi.string()
diff --git a/registry/tests/settings.spec.ts b/registry/tests/settings.spec.ts
@@ -194,6 +194,14 @@ describe(url, () => {
                     type: SettingTypes.String,
                 },
             });
+            chai.expect(response.body).to.deep.include({
+                key: SettingKeys.ProxyHeaders,
+                scope: Scope.Ilc,
+                secret: false,
+                meta: {
+                    type: SettingTypes.StringArray,
+                },
+            });
         });
 
         it('should return a setting and exclude a value from a secret record', async () => {
@@ -724,6 +732,50 @@ describe(url, () => {
             }
         });
 
+        it(`should update ${SettingKeys.ProxyHeaders} with an array of strings`, async () => {
+            try {
+                const response = await req
+                    .put(urlJoin(url, SettingKeys.ProxyHeaders))
+                    .send({
+                        key: SettingKeys.ProxyHeaders,
+                        value: ['X-Forwarded-For', 'X-Real-IP'],
+                    })
+                    .expect(200);
+
+                chai.expect(response.body).to.deep.equal({
+                    key: SettingKeys.ProxyHeaders,
+                    value: ['X-Forwarded-For', 'X-Real-IP'],
+                    scope: Scope.Ilc,
+                    secret: false,
+                    meta: {
+                        type: SettingTypes.StringArray,
+                    },
+                });
+            } finally {
+                await req
+                    .put(urlJoin(url, SettingKeys.ProxyHeaders))
+                    .send({ key: SettingKeys.ProxyHeaders, value: null })
+                    .expect(200);
+            }
+        });
+
+        it(`should update ${SettingKeys.ProxyHeaders} with null`, async () => {
+            try {
+                const response = await req
+                    .put(urlJoin(url, SettingKeys.ProxyHeaders))
+                    .send({ key: SettingKeys.ProxyHeaders, value: null })
+                    .expect(200);
+
+                chai.expect(response.body).to.have.property('key', SettingKeys.ProxyHeaders);
+                chai.expect(response.body).to.not.have.property('value');
+            } finally {
+                await req
+                    .put(urlJoin(url, SettingKeys.ProxyHeaders))
+                    .send({ key: SettingKeys.ProxyHeaders, value: null })
+                    .expect(200);
+            }
+        });
+
         it('should deny access when a user is not authorized', async () => {
             await reqWithAuth
                 .put(urlJoin(url, SettingKeys.AmdDefineCompatibilityMode))
