ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-15 02:20:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix(server): include x-forwarded-host in board mutation origin check

Browse source 
Behind a reverse proxy with a custom port (e.g. Caddy on :3443), the
browser sends an Origin header that includes the port, but the board
mutation guard only read the Host header which often omits the port.
This caused a 403 "Board mutation requires trusted browser origin"
for self-hosted deployments behind reverse proxies.

Read x-forwarded-host (first value, comma-split) with the same pattern
already used in private-hostname-guard.ts and routes/access.ts.

Fixes #1734
This commit is contained in:
Matt Van Horn 2026-03-25 00:06:43 -07:00
parent cbca599625
commit d0e01d2863
No known key found for this signature in database
2 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
server/src/middleware/board-mutation-guard.ts
View file

@ -18,7 +18,8 @@ function parseOrigin(value: string | undefined) {
function trustedOriginsForRequest(req: Request) {
const origins = new Set(DEFAULT_DEV_ORIGINS.map((value) => value.toLowerCase()));
const host = req.header("host")?.trim();
const forwardedHost = req.header("x-forwarded-host")?.split(",")[0]?.trim();
const host = forwardedHost || req.header("host")?.trim();
if (host) {
origins.add(`http://${host}`.toLowerCase());
origins.add(`https://${host}`.toLowerCase());