Allow null in csrfProtection.allowedSubdomains configuration array (

#911)
lucia-auth · Aug 1, 2023 · d7f6f43 · d7f6f43
1 parent da48c8a
commit d7f6f43
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/.auri/$x6hv164g.md b/.auri/$x6hv164g.md
@@ -0,0 +1,6 @@
+---
+package: "lucia" # package name
+type: "minor" # "major", "minor", "patch"
+---
+
+Allow `null` in `csrfProtection.allowedSubdomains` configuration array
diff --git a/documentation/content/main/1.basics/7.configuration.md b/documentation/content/main/1.basics/7.configuration.md
@@ -85,11 +85,11 @@ Provides Lucia with the current server context.
 
 ### `csrfProtection`
 
-`true` by default. When set to `true`, [`AuthRequest.validate()`](/reference/lucia/interfaces/authrequest#validate) checks if the incoming request is from a trusted origin, which by default only includes where the server is hosted. You can define trusted subdomains by adding them to `csrfProtection.allowedSubdomains`. If your app is hosted on `https://foo.example.com`, adding `"bar"` will allow `https://bar.example.com`.
+`true` by default. When set to `true`, [`AuthRequest.validate()`](/reference/lucia/interfaces/authrequest#validate) checks if the incoming request is from a trusted origin, which by default only includes where the server is hosted. You can define trusted subdomains by adding them to `csrfProtection.allowedSubdomains`. If your app is hosted on `https://foo.example.com`, adding `"bar"` will allow `https://bar.example.com`. You can add `null` in the array to allow urls without a subdomain.
 
 ```ts
 const csrfProtection = boolean | {
-	allowedSubdomains: "*" | string[]
+	allowedSubdomains: "*" | (string | null)[]
 }
 ```
 

diff --git a/packages/lucia/src/utils/url.test.ts b/packages/lucia/src/utils/url.test.ts
@@ -95,6 +95,12 @@ test("isAllowedUrl() returns expected result", async () => {
 			allowedSubdomains: ["bar"]
 		})
 	).toBe(false);
+	expect(
+		isAllowedUrl("http://example.com/foo", {
+			url: "http://api.example.com",
+			allowedSubdomains: [null]
+		})
+	).toBe(true);
 
 	expect(
 		isAllowedUrl("http://localhost:3000", {

diff --git a/packages/lucia/src/utils/url.ts b/packages/lucia/src/utils/url.ts
@@ -2,7 +2,7 @@ export const isAllowedUrl = (
 	incomingUrl: string | URL,
 	app: {
 		url: string | URL;
-		allowedSubdomains: "*" | string[];
+		allowedSubdomains: "*" | (string | null)[];
 	}
 ): boolean => {
 	const getHostname = (urlParams: string | URL) => {
@@ -18,6 +18,7 @@ export const isAllowedUrl = (
 		return false;
 	}
 	const allowedHosts = app.allowedSubdomains.map((subdomain) => {
+		if (subdomain === null) return appBaseDomain;
 		return [subdomain, appBaseDomain].join(".");
 	});
 	return allowedHosts.includes(incomingHostname);