[public-api-server] Forward Origin header where provided

Author: geropl

components/gitpod-protocol/go/gitpod-service.go

@@ -10,14 +10,11 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"io"
 	"net/http"
-	"net/url"
 	"sync"
 
 	"github.com/sourcegraph/jsonrpc2"
-	"golang.org/x/xerrors"
 
 	"github.com/sirupsen/logrus"
 )
@@ -261,6 +258,7 @@ type ConnectToServerOpts struct {
 	Context             context.Context
 	Token               string
 	Cookie              string
+	Origin              string
 	Log                 *logrus.Entry
 	ReconnectionHandler func()
 	CloseHandler        func(error)
@@ -273,21 +271,9 @@ func ConnectToServer(endpoint string, opts ConnectToServerOpts) (*APIoverJSONRPC
 		opts.Context = context.Background()
 	}
 
-	epURL, err := url.Parse(endpoint)
-	if err != nil {
-		return nil, xerrors.Errorf("invalid endpoint URL: %w", err)
-	}
-
-	var protocol string
-	if epURL.Scheme == "wss:" {
-		protocol = "https"
-	} else {
-		protocol = "http"
-	}
-	origin := fmt.Sprintf("%s://%s/", protocol, epURL.Hostname())
-
 	reqHeader := http.Header{}
-	reqHeader.Set("Origin", origin)
+	reqHeader.Set("Origin", opts.Origin)
+
 	for k, v := range opts.ExtraHeaders {
 		reqHeader.Set(k, v)
 	}

components/public-api-server/pkg/auth/context.go

@@ -25,6 +25,8 @@ const (
 type Token struct {
 	Type  TokenType
 	Value string
+	// Only relevant for CookieTokenType
+	OriginHeader string
 }
 
 func NewAccessToken(token string) Token {
@@ -34,10 +36,11 @@ func NewAccessToken(token string) Token {
 	}
 }
 
-func NewCookieToken(cookie string) Token {
+func NewCookieToken(cookie string, origin string) Token {
 	return Token{
-		Type:  CookieTokenType,
-		Value: cookie,
+		Type:         CookieTokenType,
+		Value:        cookie,
+		OriginHeader: origin,
 	}
 }
 

components/public-api-server/pkg/auth/context_test.go

@@ -20,7 +20,7 @@ func TestTokenToAndFromContext_AccessToken(t *testing.T) {
 }
 
 func TestTokenToAndFromContext_CookieToken(t *testing.T) {
-	token := NewCookieToken("my_token")
+	token := NewCookieToken("my_token", "gitpod.io")
 
 	extracted, err := TokenFromContext(TokenToContext(context.Background(), token))
 	require.NoError(t, err)

components/public-api-server/pkg/auth/middleware.go

@@ -41,8 +41,9 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error
 	}
 
 	cookie := req.Header().Get("Cookie")
+	origin := req.Header().Get("Origin")
 	if cookie != "" {
-		return NewCookieToken(cookie), nil
+		return NewCookieToken(cookie, origin), nil
 	}
 
 	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))

components/public-api-server/pkg/proxy/conn.go

@@ -48,6 +48,7 @@ func (p *NoConnectionPool) Get(ctx context.Context, token auth.Token) (gitpod.AP
 		opts.Token = token.Value
 	case auth.CookieTokenType:
 		opts.Cookie = token.Value
+		opts.Origin = token.OriginHeader
 	default:
 		return nil, errors.New("unknown token type")
 	}
@@ -98,6 +99,7 @@ func NewConnectionPool(address *url.URL, poolSize int) (*ConnectionPool, error)
 				opts.Token = token.Value
 			case auth.CookieTokenType:
 				opts.Cookie = token.Value
+				opts.Origin = token.OriginHeader
 			default:
 				return nil, errors.New("unknown token type")
 			}

components/public-api-server/pkg/proxy/conn_test.go

@@ -57,7 +57,7 @@ func TestEndpointBasedOnToken(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "wss://gitpod.io/api/v1", endpointForAccessToken)
 
-	endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo"), u)
+	endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo", "server"), u)
 	require.NoError(t, err)
 	require.Equal(t, "wss://gitpod.io/api/gitpod", endpointForCookie)
 }