Merge pull request #224 from NFDI4Chem/orgins-validation

feat: validate origins based on hostnames

Author: vcnainala

src/allowed-origins.json

@@ -24,7 +24,7 @@
     "https://chemotion-t-02.zdv.uni-mainz.de",
     "https://pregl.ac.rwth-aachen.de",
     "https://schindler-ag.rwth-aachen.de",
-    "10.195.9.248",
+    "http://10.195.9.248",
     "https://dev1.zit.ph.tum.de",
     "https://org2619.chemie.uni-leipzig.de",
     "https://chemotion.ac.chemie.intern.uni-leipzig.de",

src/events/event.ts

@@ -15,6 +15,9 @@ function on<T extends EventType>(
   } = {},
 ) {
   const { eventOptions, allowedOrigins = [] } = options;
+  const allowedHostnames = new Set(
+    allowedOrigins.map(getHostName).filter(Boolean),
+  );
 
   function listener(event: MessageEvent) {
     const {
@@ -27,7 +30,7 @@ function on<T extends EventType>(
     const skipOriginCheck =
       allowedOrigins.length === 0 || allowedOrigins.includes('*');
 
-    if (!skipOriginCheck && !allowedOrigins.includes(url.origin)) {
+    if (!skipOriginCheck && !allowedHostnames.has(getHostName(url.origin))) {
       throw new Error(`Invalid Origin ${origin}`);
     }
 
@@ -40,4 +43,16 @@ function on<T extends EventType>(
   return () => window.removeEventListener(`message`, listener);
 }
 
+function getHostName(origin: string) {
+  try {
+    const { hostname } = new URL(origin);
+    return hostname;
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.log(error);
+    // return null If the URL is invalid
+    return null;
+  }
+}
+
 export default { trigger, on };