fix!: strict dynamic backend urls

johannschopplich · Jun 27, 2023 · 481872f · 481872f
1 parent d5e7110
commit 481872f
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 2 deletions.
diff --git a/docs/config/index.md b/docs/config/index.md
@@ -24,6 +24,7 @@ Main module configuration for your API endpoints. Each key represents an endpoin
 - `query`: Query parameters to send with each request (optional)
 - `headers`: Headers to send with each request (optional)
 - `cookies`: Whether to send cookies with each request (optional)
+- `allowedUrls`: A list of allowed URLs to change the [backend URL at runtime](/guide/dynamic-backend-url) (optional)
 
 ::: info
 The composables are generated based on your API endpoint ID. For example, if you were to call an endpoint `jsonPlaceholder`, the composables will be called `useJsonPlaceholderData` and `$jsonPlaceholder`.
@@ -42,6 +43,7 @@ type ApiPartyEndpoints = Record<
     query?: QueryObject
     headers?: Record<string, string>
     cookies?: boolean
+    allowedUrls?: string[]
   }
 > | undefined
 ```

diff --git a/docs/guide/dynamic-backend-url.md b/docs/guide/dynamic-backend-url.md
@@ -2,6 +2,24 @@
 
 If you need to change the backend URL at runtime, you can do so by using a custom header based on the endpoint name. This is useful for example when you have a multi-tenant application where each tenant has its own backend URL.
 
+To prevent leaking sensitive data you have to specify a list of allowed backend URLs for each endpoint in the `allowedUrls` option. If the dynamic backend URL is not in the array, the request will be rejected.
+
+```ts
+// `nuxt.config.ts`
+export default defineNuxtConfig({
+  modules: ['nuxt-api-party'],
+
+  apiParty: {
+    endpoints: {
+      jsonPlaceholder: {
+        url: 'https://jsonplaceholder.typicode.com',
+        allowedUrls: ['https://jsonplaceholder-v2.typicode.com']
+      }
+    }
+  }
+})
+```
+
 ## Example
 
 ::: info

diff --git a/src/module.ts b/src/module.ts
@@ -14,6 +14,7 @@ export interface ModuleOptions {
    * - `query`: Query parameters to send with each request (optional)
    * - `headers`: Headers to send with each request (optional)
    * - `cookies`: Whether to send cookies with each request (optional)
+   * - `allowedUrls`: A list of allowed URLs to change the backend URL at runtime (optional)
    *
    * @example
    * export default defineNuxtConfig({
@@ -39,6 +40,7 @@ export interface ModuleOptions {
       query?: QueryObject
       headers?: Record<string, string>
       cookies?: boolean
+      allowedUrls?: string[]
     }
   >
 

diff --git a/src/runtime/server.ts b/src/runtime/server.ts
@@ -32,9 +32,20 @@ export default defineEventHandler(async (event): Promise<any> => {
   // (e.g. `jsonPlaceholder` endpoint becomes `Json-Placeholder-Endpoint-Url`)
   const baseURL = new Headers(headers).get(`${endpointId}-endpoint-url`) || endpoint.url
 
+  // Check if the base URL is in the allow list
+  if (
+    baseURL !== endpoint.url
+    && !endpoint.allowedUrls?.includes(baseURL)
+  ) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `Base URL "${baseURL}" is not allowed`,
+    })
+  }
+
   try {
-    return await $fetch(
-      path!,
+    return await globalThis.$fetch(
+      path,
       {
         ...fetchOptions,
         baseURL,