From 8712bec82b962963c73ec580c7c8af9ed9bf2957 Mon Sep 17 00:00:00 2001 From: Tom Richards Date: Tue, 8 Aug 2023 21:52:12 +0100 Subject: [PATCH] add `thrall` to allowed CORS domains (which informs the CSRF origins) --- .../gu/mediaservice/lib/config/CommonConfig.scala | 3 ++- .../com/gu/mediaservice/lib/config/Services.scala | 14 ++++++++++---- .../gu/mediaservice/lib/play/GridComponents.scala | 2 +- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/common-lib/src/main/scala/com/gu/mediaservice/lib/config/CommonConfig.scala b/common-lib/src/main/scala/com/gu/mediaservice/lib/config/CommonConfig.scala index e463f8eef5..0cb5f6a107 100644 --- a/common-lib/src/main/scala/com/gu/mediaservice/lib/config/CommonConfig.scala +++ b/common-lib/src/main/scala/com/gu/mediaservice/lib/config/CommonConfig.scala @@ -59,7 +59,8 @@ abstract class CommonConfig(resources: GridConfigResources) extends AwsClientBui stringDefault("hosts.usagePrefix", s"$rootAppName-usage."), stringDefault("hosts.collectionsPrefix", s"$rootAppName-collections."), stringDefault("hosts.leasesPrefix", s"$rootAppName-leases."), - stringDefault("hosts.authPrefix", s"$rootAppName-auth.") + stringDefault("hosts.authPrefix", s"$rootAppName-auth."), + stringDefault("hosts.thrallPrefix", s"thrall.$rootAppName.") ) val corsAllowedOrigins: Set[String] = getStringSet("security.cors.allowedOrigins") diff --git a/common-lib/src/main/scala/com/gu/mediaservice/lib/config/Services.scala b/common-lib/src/main/scala/com/gu/mediaservice/lib/config/Services.scala index 3953aa1995..896acf8549 100644 --- a/common-lib/src/main/scala/com/gu/mediaservice/lib/config/Services.scala +++ b/common-lib/src/main/scala/com/gu/mediaservice/lib/config/Services.scala @@ -11,7 +11,8 @@ case class ServiceHosts( usagePrefix: String, collectionsPrefix: String, leasesPrefix: String, - authPrefix: String + authPrefix: String, + thrallPrefix: String ) object ServiceHosts { @@ -31,7 +32,8 @@ object ServiceHosts { usagePrefix = s"$rootAppName-usage.", collectionsPrefix = s"$rootAppName-collections.", leasesPrefix = s"$rootAppName-leases.", - authPrefix = s"$rootAppName-auth." + authPrefix = s"$rootAppName-auth.", + thrallPrefix = s"thrall.$rootAppName." ) } } @@ -48,6 +50,8 @@ class Services(val domainRoot: String, hosts: ServiceHosts, corsAllowedOrigins: val leasesHost: String = s"${hosts.leasesPrefix}${domainRootOverride.getOrElse(domainRoot)}" val authHost: String = s"${hosts.authPrefix}$domainRoot" val projectionHost: String = s"${hosts.projectionPrefix}${domainRootOverride.getOrElse(domainRoot)}" + val thrallHost: String = s"${hosts.thrallPrefix}${domainRootOverride.getOrElse(domainRoot)}" + val kahunaBaseUri = baseUri(kahunaHost) val apiBaseUri = baseUri(apiHost) @@ -60,6 +64,7 @@ class Services(val domainRoot: String, hosts: ServiceHosts, corsAllowedOrigins: val collectionsBaseUri = baseUri(collectionsHost) val leasesBaseUri = baseUri(leasesHost) val authBaseUri = baseUri(authHost) + val thrallBaseUri = baseUri(thrallHost) val allInternalUris = Seq( kahunaBaseUri, @@ -70,12 +75,13 @@ class Services(val domainRoot: String, hosts: ServiceHosts, corsAllowedOrigins: usageBaseUri, collectionsBaseUri, leasesBaseUri, - authBaseUri + authBaseUri, + thrallBaseUri ) val guardianWitnessBaseUri: String = "https://n0ticeapis.com" - val corsAllowedDomains: Set[String] = corsAllowedOrigins.map(baseUri) + val corsAllowedDomains: Set[String] = corsAllowedOrigins.map(baseUri) + kahunaBaseUri + apiBaseUri + thrallBaseUri val redirectUriParam = "redirectUri" val redirectUriPlaceholder = s"{?$redirectUriParam}" diff --git a/rest-lib/src/main/scala/com/gu/mediaservice/lib/play/GridComponents.scala b/rest-lib/src/main/scala/com/gu/mediaservice/lib/play/GridComponents.scala index 9c89050174..b5ef5861d3 100644 --- a/rest-lib/src/main/scala/com/gu/mediaservice/lib/play/GridComponents.scala +++ b/rest-lib/src/main/scala/com/gu/mediaservice/lib/play/GridComponents.scala @@ -39,7 +39,7 @@ abstract class GridComponents[Config <: CommonConfig](context: Context, val load ) final override lazy val corsConfig: CORSConfig = CORSConfig.fromConfiguration(context.initialConfiguration).copy( - allowedOrigins = Origins.Matching(Set(config.services.kahunaBaseUri, config.services.apiBaseUri) ++ config.services.corsAllowedDomains) + allowedOrigins = Origins.Matching(config.services.corsAllowedDomains) ) lazy val management = new Management(controllerComponents, buildInfo)