Merge pull request #1744 from mvanhorn/fix/board-mutation-forwarded-host

fix(server): include x-forwarded-host in board mutation origin check
2026-03-30 07:34:08 -05:00
parent 6a72faf83b eb8c5d93e7
commit 2d31c71fbe
2 changed files with 24 additions and 1 deletions
@@ -84,6 +84,28 @@ describe("boardMutationGuard", () => {
    expect(res.status).toBe(204);
  });

+  it("allows board mutations when x-forwarded-host matches origin", async () => {
+    const app = createApp("board");
+    const res = await request(app)
+      .post("/mutate")
+      .set("Host", "127.0.0.1")
+      .set("X-Forwarded-Host", "10.90.10.20:3443")
+      .set("Origin", "https://10.90.10.20:3443")
+      .send({ ok: true });
+    expect(res.status).toBe(204);
+  });
+
+  it("blocks board mutations when x-forwarded-host does not match origin", async () => {
+    const app = createApp("board");
+    const res = await request(app)
+      .post("/mutate")
+      .set("Host", "127.0.0.1")
+      .set("X-Forwarded-Host", "10.90.10.20:3443")
+      .set("Origin", "https://evil.example.com")
+      .send({ ok: true });
+    expect(res.status).toBe(403);
+  });
+
  it("does not block authenticated agent mutations", async () => {
    const middleware = boardMutationGuard();
    const req = {