From d7f6f43d480a59771e3766295f476685b8fbb97f Mon Sep 17 00:00:00 2001
From: pilcrowOnPaper <80624252+pilcrowOnPaper@users.noreply.github.com>
Date: Tue, 1 Aug 2023 23:05:23 +0900
Subject: [PATCH] Allow `null` in `csrfProtection.allowedSubdomains`
 configuration array (#911)

---
 .auri/$x6hv164g.md                                     | 6 ++++++
 documentation/content/main/1.basics/7.configuration.md | 4 ++--
 packages/lucia/src/utils/url.test.ts                   | 6 ++++++
 packages/lucia/src/utils/url.ts                        | 3 ++-
 4 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 .auri/$x6hv164g.md

diff --git a/.auri/$x6hv164g.md b/.auri/$x6hv164g.md
new file mode 100644
index 000000000..2c65f0fec
--- /dev/null
+++ b/.auri/$x6hv164g.md
@@ -0,0 +1,6 @@
+---
+package: "lucia" # package name
+type: "minor" # "major", "minor", "patch"
+---
+
+Allow `null` in `csrfProtection.allowedSubdomains` configuration array
\ No newline at end of file
diff --git a/documentation/content/main/1.basics/7.configuration.md b/documentation/content/main/1.basics/7.configuration.md
index 3e1fd99d1..1fa327862 100644
--- a/documentation/content/main/1.basics/7.configuration.md
+++ b/documentation/content/main/1.basics/7.configuration.md
@@ -85,11 +85,11 @@ Provides Lucia with the current server context.
 
 ### `csrfProtection`
 
-`true` by default. When set to `true`, [`AuthRequest.validate()`](/reference/lucia/interfaces/authrequest#validate) checks if the incoming request is from a trusted origin, which by default only includes where the server is hosted. You can define trusted subdomains by adding them to `csrfProtection.allowedSubdomains`. If your app is hosted on `https://foo.example.com`, adding `"bar"` will allow `https://bar.example.com`.
+`true` by default. When set to `true`, [`AuthRequest.validate()`](/reference/lucia/interfaces/authrequest#validate) checks if the incoming request is from a trusted origin, which by default only includes where the server is hosted. You can define trusted subdomains by adding them to `csrfProtection.allowedSubdomains`. If your app is hosted on `https://foo.example.com`, adding `"bar"` will allow `https://bar.example.com`. You can add `null` in the array to allow urls without a subdomain.
 
 ```ts
 const csrfProtection = boolean | {
-	allowedSubdomains: "*" | string[]
+	allowedSubdomains: "*" | (string | null)[]
 }
 ```
 
diff --git a/packages/lucia/src/utils/url.test.ts b/packages/lucia/src/utils/url.test.ts
index abeacdbee..98703bb30 100644
--- a/packages/lucia/src/utils/url.test.ts
+++ b/packages/lucia/src/utils/url.test.ts
@@ -95,6 +95,12 @@ test("isAllowedUrl() returns expected result", async () => {
 			allowedSubdomains: ["bar"]
 		})
 	).toBe(false);
+	expect(
+		isAllowedUrl("http://example.com/foo", {
+			url: "http://api.example.com",
+			allowedSubdomains: [null]
+		})
+	).toBe(true);
 
 	expect(
 		isAllowedUrl("http://localhost:3000", {
diff --git a/packages/lucia/src/utils/url.ts b/packages/lucia/src/utils/url.ts
index 73959bff9..834426d3f 100644
--- a/packages/lucia/src/utils/url.ts
+++ b/packages/lucia/src/utils/url.ts
@@ -2,7 +2,7 @@ export const isAllowedUrl = (
 	incomingUrl: string | URL,
 	app: {
 		url: string | URL;
-		allowedSubdomains: "*" | string[];
+		allowedSubdomains: "*" | (string | null)[];
 	}
 ): boolean => {
 	const getHostname = (urlParams: string | URL) => {
@@ -18,6 +18,7 @@ export const isAllowedUrl = (
 		return false;
 	}
 	const allowedHosts = app.allowedSubdomains.map((subdomain) => {
+		if (subdomain === null) return appBaseDomain;
 		return [subdomain, appBaseDomain].join(".");
 	});
 	return allowedHosts.includes(incomingHostname);