Ensure we are no longer using/trusting "Host" HTTP Header. Require setting existing environment.ui.baseUrl. Replace ServerHardRedirectService.getCurrentOrigin() with getBaseUrl() to read this setting.

Author: tdonohue

config/config.example.yml

@@ -8,6 +8,9 @@ ui:
   ssl: false
   host: localhost
   port: 4000
+  # Specify the public URL that this user interface responds to. This corresponds to the "dspace.ui.url" property in your backend's local.cfg.
+  # SSR is only enabled when the client's "Host" HTTP header matches this baseUrl. The baseUrl is also used for redirects and SEO links (in robots.txt).
+  baseUrl: http://localhost:4000
   # NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript
   nameSpace: /
   # The rateLimiter settings limit each IP to a 'limit' of 500 requests per 'windowMs' (1 minute).

server.ts

@@ -145,7 +145,7 @@ export function app() {
   server.get('/robots.txt', (req, res) => {
     res.setHeader('content-type', 'text/plain');
     res.render('assets/robots.txt.ejs', {
-      'origin': req.protocol + '://' + req.headers.host,
+      'origin': environment.ui.baseUrl,
     });
   });
 

src/app/bitstream-page/legacy-bitstream-url-redirect.guard.spec.ts

@@ -9,6 +9,7 @@ import { RouterStub } from '@dspace/core/testing/router.stub';
 import { cold } from 'jasmine-marbles';
 import { EMPTY } from 'rxjs';
 
+import { environment } from '../../environments/environment';
 import { legacyBitstreamURLRedirectGuard } from './legacy-bitstream-url-redirect.guard';
 
 describe('legacyBitstreamURLRedirectGuard', () => {
@@ -150,7 +151,7 @@ describe('legacyBitstreamURLRedirectGuard', () => {
         }));
         resolver(route, state, bitstreamDataService, hardRedirectService, router).subscribe(() => {
           expect(bitstreamDataService.findByItemHandle).toHaveBeenCalled();
-          expect(hardRedirectService.redirect).toHaveBeenCalledWith(new URL(`/bitstreams/${bitstream.uuid}/download`, window.location.origin).href, 301);
+          expect(hardRedirectService.redirect).toHaveBeenCalledWith(new URL(`/bitstreams/${bitstream.uuid}/download`, environment.ui.baseUrl).href, 301);
         });
       });
     });

src/app/bitstream-page/legacy-bitstream-url-redirect.guard.ts

@@ -9,6 +9,7 @@ import {
 import { BitstreamDataService } from '@dspace/core/data/bitstream-data.service';
 import { RemoteData } from '@dspace/core/data/remote-data';
 import { PAGE_NOT_FOUND_PATH } from '@dspace/core/router/core-routing-paths';
+import { getBitstreamDownloadRoute } from '@dspace/core/router/utils/dso-route.utils';
 import { HardRedirectService } from '@dspace/core/services/hard-redirect.service';
 import { Bitstream } from '@dspace/core/shared/bitstream.model';
 import { getFirstCompletedRemoteData } from '@dspace/core/shared/operators';
@@ -46,7 +47,7 @@ export const legacyBitstreamURLRedirectGuard: CanActivateFn = (
     getFirstCompletedRemoteData(),
     map((rd: RemoteData<Bitstream>) => {
       if (rd.hasSucceeded && !rd.hasNoContent) {
-        serverHardRedirectService.redirect(new URL(`/bitstreams/${rd.payload.uuid}/download`, serverHardRedirectService.getCurrentOrigin()).href, 301);
+        serverHardRedirectService.redirect(new URL(getBitstreamDownloadRoute(rd.payload), serverHardRedirectService.getBaseUrl()).href, 301);
         return false;
       } else {
         return router.createUrlTree([PAGE_NOT_FOUND_PATH]);

src/app/core/metadata/head-tag.service.spec.ts

@@ -96,7 +96,7 @@ describe('HeadTagService', () => {
       },
     } as any as Router;
     hardRedirectService = jasmine.createSpyObj( {
-      getCurrentOrigin: 'https://request.org',
+      getBaseUrl: 'https://request.org',
     });
     authorizationService = jasmine.createSpyObj('authorizationService', {
       isAuthorized: of(true),

src/app/core/metadata/head-tag.service.ts

@@ -324,7 +324,7 @@ export class HeadTagService {
     if (this.currentObject.value instanceof Item) {
       let url = this.getMetaTagValue('dc.identifier.uri');
       if (hasNoValue(url)) {
-        url = new URLCombiner(this.hardRedirectService.getCurrentOrigin(), this.router.url).toString();
+        url = new URLCombiner(this.hardRedirectService.getBaseUrl(), this.router.url).toString();
       }
       this.addMetaTag('citation_abstract_html_url', url);
     }
@@ -407,7 +407,7 @@ export class HeadTagService {
         // Use the found link to set the <meta> tag
         this.addMetaTag(
           'citation_pdf_url',
-          new URLCombiner(this.hardRedirectService.getCurrentOrigin(), link).toString(),
+          new URLCombiner(this.hardRedirectService.getBaseUrl(), link).toString(),
         );
       });
     }

src/app/core/services/browser-hard-redirect.service.spec.ts

@@ -1,11 +1,13 @@
 import { TestBed } from '@angular/core/testing';
 
+import { environment } from '../../../environments/environment';
 import { BrowserHardRedirectService } from './browser-hard-redirect.service';
 
 describe('BrowserHardRedirectService', () => {
   let origin: string;
   let mockLocation: Location;
   let service: BrowserHardRedirectService;
+  let originalBaseUrl;
 
   beforeEach(() => {
     origin = 'https://test-host.com:4000';
@@ -20,11 +22,22 @@ describe('BrowserHardRedirectService', () => {
     } as Location;
     spyOn(mockLocation, 'replace');
 
+    // Store original environment variable to restore after tests
+    originalBaseUrl = environment.ui.baseUrl;
+
+    // Set environment variable to match our mock location origin for testing
+    environment.ui.baseUrl = origin;
+
     service = new BrowserHardRedirectService(mockLocation);
 
     TestBed.configureTestingModule({});
   });
 
+  afterEach(() => {
+    // Restore original environment variable after tests
+    environment.ui.baseUrl = originalBaseUrl;
+  });
+
   it('should be created', () => {
     expect(service).toBeTruthy();
   });
@@ -52,7 +65,7 @@ describe('BrowserHardRedirectService', () => {
   describe('when requesting the origin', () => {
 
     it('should return the location origin', () => {
-      expect(service.getCurrentOrigin()).toEqual(origin);
+      expect(service.getBaseUrl()).toEqual(origin);
     });
   });
 

src/app/core/services/browser-hard-redirect.service.ts

@@ -4,6 +4,7 @@ import {
   InjectionToken,
 } from '@angular/core';
 
+import { environment } from '../../../environments/environment';
 import { HardRedirectService } from './hard-redirect.service';
 
 export const LocationToken = new InjectionToken('Location');
@@ -41,12 +42,11 @@ export class BrowserHardRedirectService extends HardRedirectService {
   }
 
   /**
-   * Get the origin of the current URL
+   * Get the base public URL of our application.
+   * This is used as the base URL for redirects, and should be in the format of
    * i.e. <scheme> "://" <hostname> [ ":" <port> ]
-   * e.g. if the URL is https://demo.dspace.org/search?query=test,
-   * the origin would be https://demo.dspace.org
    */
-  getCurrentOrigin(): string {
-    return this.location.origin;
+  getBaseUrl(): string {
+    return environment.ui.baseUrl;
   }
 }

src/app/core/services/browser.referrer.service.spec.ts

@@ -16,7 +16,7 @@ describe(`BrowserReferrerService`, () => {
     service = new BrowserReferrerService(
       { referrer: documentReferrer },
       routeService,
-      { getCurrentOrigin: () => origin } as any,
+      { getBaseUrl: () => origin } as any,
     );
   });
 

src/app/core/services/browser.referrer.service.ts

@@ -50,7 +50,7 @@ export class BrowserReferrerService extends ReferrerService {
           const reversedHistory = [...history].reverse();
           // and find the first URL that differs from the current one
           const prevUrl = reversedHistory.find((url: string) => url !== currentURL);
-          return new URLCombiner(this.hardRedirectService.getCurrentOrigin(), prevUrl).toString();
+          return new URLCombiner(this.hardRedirectService.getBaseUrl(), prevUrl).toString();
         }
       }),
     );