fix(client): Normalize allowlist to origins (#321)

Author: dmihalcik-virtru

cli/package-lock.json

@@ -271,9 +271,10 @@ export class Client {
       this.kasEndpoint = clientConfig.keyRewrapEndpoint.replace(/\/rewrap$/, '');
     }
 
+    const kasOrigin = new URL(this.kasEndpoint).origin;
     if (clientConfig.allowedKases) {
-      this.allowedKases = [...clientConfig.allowedKases];
-      if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.includes(this.kasEndpoint)) {
+      this.allowedKases = clientConfig.allowedKases.map((a) => new URL(a).origin);
+      if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.includes(kasOrigin)) {
         throw new TdfError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
       }
       this.allowedKases.forEach(validateSecureUrl);
@@ -283,7 +284,7 @@ export class Client {
           `Invalid KAS endpoint [${this.kasEndpoint}]; to force, please list it among allowedKases`
         );
       }
-      this.allowedKases = [this.kasEndpoint];
+      this.allowedKases = [kasOrigin];
     }
 
     this.authProvider = config.authProvider;

lib/tdf3/src/client/index.ts

@@ -145,6 +145,7 @@ export type EncryptConfiguration = {
 };
 
 export type DecryptConfiguration = {
+  // Normalized KAS origins to connect to
   allowedKases: string[];
   authProvider: AuthProvider | AppIdAuthProvider;
   cryptoService: CryptoService;
@@ -824,7 +825,8 @@ async function unwrapKey({
   // Get key access information to know the KAS URLS
   const rewrappedKeys = await Promise.all(
     keyAccess.map(async (keySplitInfo) => {
-      if (!allowedKases.includes(keySplitInfo.url)) {
+      const kaoOrigin = new URL(keySplitInfo.url).origin;
+      if (!allowedKases.includes(kaoOrigin)) {
         throw new UnsafeUrlError(
           `cannot decrypt TDF: [${keySplitInfo.url}] not on allowlist ${JSON.stringify(
             allowedKases