From cc31bab5031718983b63687995f9ae1dca296b2a Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Tue, 23 Feb 2021 14:04:33 +0300 Subject: [PATCH 1/7] Check x-forwarded-host before host for proxying Default setup of reverse proxies is to pass real host into `x-forwarded-host` key, with leaving `host` untouched. For not require special changes of reverse proxy settings to Keystone-next, I suggest to check it before `host`. --- packages-next/auth/src/index.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages-next/auth/src/index.ts b/packages-next/auth/src/index.ts index b76e9ade3d2..6cc732c7efd 100644 --- a/packages-next/auth/src/index.ts +++ b/packages-next/auth/src/index.ts @@ -337,10 +337,11 @@ export function createAuth({ // Allow access to the adminMeta data from the /init path to correctly render that page // even if the user isn't logged in (which should always be the case if they're seeing /init) const headers = context.req?.headers; + const host = headers ? (headers['x-forwarded-host'] || headers.host) : 'localhost'; const url = headers?.referer ? new URL(headers.referer) : undefined; const accessingInitPage = url?.pathname === '/init' && - url?.host === headers?.host && + url?.host === host && (await context.sudo().lists[listKey].count({})) === 0; return ( accessingInitPage || From e7bbcadaeb7fda8dbaf90e035ba130844bb6e9bc Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Tue, 23 Feb 2021 15:09:20 +0300 Subject: [PATCH 2/7] Match to null if absent --- packages-next/auth/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages-next/auth/src/index.ts b/packages-next/auth/src/index.ts index 6cc732c7efd..a71fb524a1f 100644 --- a/packages-next/auth/src/index.ts +++ b/packages-next/auth/src/index.ts @@ -337,7 +337,7 @@ export function createAuth({ // Allow access to the adminMeta data from the /init path to correctly render that page // even if the user isn't logged in (which should always be the case if they're seeing /init) const headers = context.req?.headers; - const host = headers ? (headers['x-forwarded-host'] || headers.host) : 'localhost'; + const host = headers ? (headers['x-forwarded-host'] || headers.host) : null; const url = headers?.referer ? new URL(headers.referer) : undefined; const accessingInitPage = url?.pathname === '/init' && From f2a6817f5f85e4334c1091dbe05bd7687c7ab1e0 Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Tue, 23 Feb 2021 15:15:25 +0300 Subject: [PATCH 3/7] Added changeset --- .changeset/fast-meals-ring.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/fast-meals-ring.md diff --git a/.changeset/fast-meals-ring.md b/.changeset/fast-meals-ring.md new file mode 100644 index 00000000000..5678c02967d --- /dev/null +++ b/.changeset/fast-meals-ring.md @@ -0,0 +1,5 @@ +--- +'@keystone-next/auth': minor +--- + +Check x-forwarded-host before host for support reverse proxy defaults From edd133c59a916f3d2fc6037071fdba8fadc59227 Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Tue, 23 Feb 2021 15:27:40 +0300 Subject: [PATCH 4/7] Linting --- packages-next/auth/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages-next/auth/src/index.ts b/packages-next/auth/src/index.ts index a71fb524a1f..ca276cd6f3d 100644 --- a/packages-next/auth/src/index.ts +++ b/packages-next/auth/src/index.ts @@ -337,7 +337,7 @@ export function createAuth({ // Allow access to the adminMeta data from the /init path to correctly render that page // even if the user isn't logged in (which should always be the case if they're seeing /init) const headers = context.req?.headers; - const host = headers ? (headers['x-forwarded-host'] || headers.host) : null; + const host = headers ? headers['x-forwarded-host'] || headers.host : null; const url = headers?.referer ? new URL(headers.referer) : undefined; const accessingInitPage = url?.pathname === '/init' && From 765fe1610dfb1a320da7610d034e02a046b400ac Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Wed, 24 Feb 2021 08:49:40 +0300 Subject: [PATCH 5/7] changeset-to-path Co-authored-by: Tim Leslie --- .changeset/fast-meals-ring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/fast-meals-ring.md b/.changeset/fast-meals-ring.md index 5678c02967d..247129daed9 100644 --- a/.changeset/fast-meals-ring.md +++ b/.changeset/fast-meals-ring.md @@ -1,5 +1,5 @@ --- -'@keystone-next/auth': minor +'@keystone-next/auth': patch --- Check x-forwarded-host before host for support reverse proxy defaults From b1461a3c6e10bf8e7aa6524a1b81210b300af86d Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Wed, 24 Feb 2021 08:50:08 +0300 Subject: [PATCH 6/7] Update changeset description Co-authored-by: Tim Leslie --- .changeset/fast-meals-ring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/fast-meals-ring.md b/.changeset/fast-meals-ring.md index 247129daed9..abe779e64c4 100644 --- a/.changeset/fast-meals-ring.md +++ b/.changeset/fast-meals-ring.md @@ -2,4 +2,4 @@ '@keystone-next/auth': patch --- -Check x-forwarded-host before host for support reverse proxy defaults +Fixed a bug which prevented accessing the '/init` path from behind a reverse proxy. From 66ec342b87f83d5eff43eb17eb946d473686f11f Mon Sep 17 00:00:00 2001 From: Alexey Murz Korepov Date: Wed, 24 Feb 2021 09:11:45 +0300 Subject: [PATCH 7/7] Update packages-next/auth/src/index.ts Co-authored-by: Tim Leslie --- packages-next/auth/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages-next/auth/src/index.ts b/packages-next/auth/src/index.ts index ca276cd6f3d..7074f15cc9f 100644 --- a/packages-next/auth/src/index.ts +++ b/packages-next/auth/src/index.ts @@ -337,7 +337,7 @@ export function createAuth({ // Allow access to the adminMeta data from the /init path to correctly render that page // even if the user isn't logged in (which should always be the case if they're seeing /init) const headers = context.req?.headers; - const host = headers ? headers['x-forwarded-host'] || headers.host : null; + const host = headers ? headers['x-forwarded-host'] || headers['host'] : null; const url = headers?.referer ? new URL(headers.referer) : undefined; const accessingInitPage = url?.pathname === '/init' &&