Allow wildcards in serverActions.allowedOrigins

[akawalsky]

Goals

1. Allow for platforms running on Vercel with NextJS to use server actions across a variety of subdomains

Non-Goals

No response

Background

Got here from this discussion - #58295

We are proxying our requests to our Next server via a Cloudfront function in order to allow for subdomain rewrites for the user. e.g. apple.ourdomain.com -> rewrites to -> www.ourdomain.com/apple. There are 100s of subdomains that we currently support.

When we do this rewrite, CF writes an X-Forwarded-Host header to www.ourdomain.com before sending to the Next server. Next then hits this bit of logic - https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/action-handler.ts#L324-L348 which will throw an error. Next does allow for passing in allowedOrigins specifically to bypass this check, but this will not scale for our use-case as we have 100s of subdomains.

We would like to be able to pass in *.ourdomain.com in this allowedOrigins configuration to solve this issue.

Proposal

We should change this line to allow for wildcard domains instead of just a simple includes call.

https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/action-handler.ts#L334

In this example, passing *.ourdomain.com for allowedOrigins would solve this issue.

I am happy to help with contributing to this.

[akawalsky]

@gnoff

[JustinMartinDev]

We are in the same case, i show a "network" graph for visualization

flowchart LR
  User -- front-proxy.com --> reverse_proxy


  subgraph reverse_proxy[Reverse Proxy]
    direction TB

    reverse_proxy_server
  end

  reverse_proxy -- behind-proxy.com ---> my_stack

  subgraph my_stack["Next App (behind reverse proxy)"]
    direction LR
    next_server[Next Server] --> react_app[React app]
    next_server[Next Server] --> server_action[Server actions]
    next_server[Next Server] --> next_others[...]
  end

Loading

In our case we also need it for our "preview" environment. We use github workflow we create some "preview" environment in gcp. This workflow generate an url like app-preview-<PR_id>-behind-proxy.com to access of it. And so this url should be in next
configuration

Tech proposal

The idea is to use isMatch from micromatch and update the condition: JustinMartinDev@8ef829a

[akawalsky]

@JustinMartinDev good call, I didn't realize Next already had a wildcard matching tool. I was previously just using Regex. I adapted my PR to use your suggestion. #59428

[gnoff]

This is a great idea. There is prior art here with https://nextjs.org/docs/app/api-reference/components/image#remotepatterns

I left some comments on the PR. We should be able to land soon