forked from farhoodlabs/paperclip
fix(server): include x-forwarded-host in board mutation origin check
Behind a reverse proxy with a custom port (e.g. Caddy on :3443), the browser sends an Origin header that includes the port, but the board mutation guard only read the Host header which often omits the port. This caused a 403 "Board mutation requires trusted browser origin" for self-hosted deployments behind reverse proxies. Read x-forwarded-host (first value, comma-split) with the same pattern already used in private-hostname-guard.ts and routes/access.ts. Fixes #1734
This commit is contained in:
Matt Van Horn
@@ -18,7 +18,8 @@ function parseOrigin(value: string | undefined) {
|
||||
|
||||
function trustedOriginsForRequest(req: Request) {
|
||||
const origins = new Set(DEFAULT_DEV_ORIGINS.map((value) => value.toLowerCase()));
|
||||
const host = req.header("host")?.trim();
|
||||
const forwardedHost = req.header("x-forwarded-host")?.split(",")[0]?.trim();
|
||||
const host = forwardedHost || req.header("host")?.trim();
|
||||
if (host) {
|
||||
origins.add(`http://${host}`.toLowerCase());
|
||||
origins.add(`https://${host}`.toLowerCase());
|
||||
|
||||
Reference in New Issue
Block a user