Configure OAuth to allow any subdomain (#36022)

GitOrigin-RevId: 19c132d541fbcf039a4dbaadadd9bd2f8619555c

Author: thomasballinger

Diff for: npm-packages/dashboard/src/components/AuthorizeProject.test.tsx

@@ -58,6 +58,15 @@ describe("AuthorizeProject", () => {
         allowedRedirects: ["https://test-app.com/callback"],
         allowImplicitFlow: true,
       },
+      "test-subdomain-client": {
+        name: "Test App With Any Subdomain Allowed",
+        allowedRedirects: [],
+        allowedRedirectsAnySubdomain: [
+          "https://a.pages.dev/foo",
+          "http://b.com/bar",
+        ],
+        allowImplicitFlow: true,
+      },
     },
   };
 
@@ -333,4 +342,84 @@ describe("AuthorizeProject", () => {
       screen.getByText("Authorize access to your project"),
     );
   });
+
+  describe("allowedRedirectsAnySubdomain", () => {
+    test("accepts a subdomain of an allowed domain with matching path", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=https://b.a.pages.dev/foo&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(
+        screen.getByText("Authorize access to your project"),
+      ).toBeInTheDocument();
+    });
+
+    test("accepts multiple levels of subdomains with matching path", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=https://c.b.a.pages.dev/foo&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(
+        screen.getByText("Authorize access to your project"),
+      ).toBeInTheDocument();
+    });
+
+    test("rejects if domain structure is changed", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=https://b.a.c.pages.dev/foo&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(screen.getByTestId("invalid-redirect-uri")).toBeInTheDocument();
+    });
+
+    test("rejects if path is different", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=https://b.a.pages.dev/foo/bar&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(screen.getByTestId("invalid-redirect-uri")).toBeInTheDocument();
+    });
+
+    test("rejects if protocol is different", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=http://b.a.pages.dev/foo&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(screen.getByTestId("invalid-redirect-uri")).toBeInTheDocument();
+    });
+
+    test("accepts a subdomain for second allowed domain with matching path", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=http://sub.b.com/bar&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(
+        screen.getByText("Authorize access to your project"),
+      ).toBeInTheDocument();
+    });
+
+    test("rejects if port is different", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=https://b.a.pages.dev:8080/foo&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(screen.getByTestId("invalid-redirect-uri")).toBeInTheDocument();
+    });
+
+    test("rejects query parameters", () => {
+      mockRouter.setCurrentUrl(
+        "/?client_id=test-subdomain-client&redirect_uri=https://b.a.pages.dev/foo?query=param&response_type=token",
+      );
+
+      render(<AuthorizeProject />);
+      expect(screen.getByTestId("invalid-redirect-uri")).toBeInTheDocument();
+    });
+  });
 });

Diff for: npm-packages/dashboard/src/components/AuthorizeProject.tsx

@@ -330,7 +330,12 @@ function validateOAuthConfig(
   config: OAuthConfig,
   oauthProviderConfiguration: Record<
     string,
-    { name: string; allowedRedirects: string[]; allowImplicitFlow?: boolean }
+    {
+      name: string;
+      allowedRedirects: string[];
+      allowImplicitFlow?: boolean;
+      allowedRedirectsAnySubdomain?: string[];
+    }
   >,
 ): {
   callingApplication: { name: string; allowedRedirects: string[] };
@@ -357,7 +362,7 @@ function validateOAuthConfig(
     };
   }
 
-  if (!callingApplication.allowedRedirects.includes(config.redirectUri)) {
+  if (!redirectUriAllowed(callingApplication, config.redirectUri)) {
     // Don't include the invalid redirectUri in the validated config
     return {
       callingApplication,
@@ -417,6 +422,49 @@ function validateOAuthConfig(
   };
 }
 
+function redirectUriAllowed(
+  callingApplication: {
+    allowedRedirectsAnySubdomain?: string[];
+    allowedRedirects: string[];
+  },
+  redirectUri: string,
+): boolean {
+  if (callingApplication.allowedRedirects.includes(redirectUri)) {
+    return true;
+  }
+
+  return (callingApplication.allowedRedirectsAnySubdomain || []).some(
+    (allowedPattern) => {
+      // https://    a.pages.dev/foo allows both
+      // https://  b.a.pages.dev/foo and
+      // https://c.b.a.pages.dev/foo.
+      let allowedUrl: URL;
+      let redirectUrl: URL;
+      try {
+        allowedUrl = new URL(allowedPattern);
+        redirectUrl = new URL(redirectUri);
+      } catch (e) {
+        captureException(e);
+        return false;
+      }
+
+      if (
+        redirectUrl.hostname !== allowedUrl.hostname &&
+        !redirectUrl.hostname.endsWith(`.${allowedUrl.hostname}`)
+      ) {
+        return false;
+      }
+
+      return (
+        redirectUrl.protocol === allowedUrl.protocol &&
+        redirectUrl.port === allowedUrl.port &&
+        redirectUrl.pathname === allowedUrl.pathname &&
+        redirectUrl.search === allowedUrl.search
+      );
+    },
+  );
+}
+
 function buildOAuthRedirectUrl(
   validatedConfig: ValidatedOAuthConfig | undefined,
   params: {