🛂 Enable allowed origins security to depreceated sendMessage endpoints

2024-01-19 14:41:43 +01:00
parent 29bd5f1539
commit b438c174c4
2 changed files with 57 additions and 2 deletions
--- a/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts
+++ b/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts
@ -29,7 +29,7 @@ export const sendMessageV1 = publicProcedure
  .mutation(
    async ({
      input: { sessionId, message, startParams, clientLogs },
-      ctx: { user },
+      ctx: { user, origin, res },
    }) => {
      const session = sessionId ? await getSession(sessionId) : null

@ -104,6 +104,21 @@ export const sendMessageV1 = publicProcedure
          message,
        })

+        if (startParams.isPreview || typeof startParams.typebot !== 'string') {
+          if (
+            newSessionState.allowedOrigins &&
+            newSessionState.allowedOrigins.length > 0
+          ) {
+            if (origin && newSessionState.allowedOrigins.includes(origin))
+              res.setHeader('Access-Control-Allow-Origin', origin)
+            else
+              res.setHeader(
+                'Access-Control-Allow-Origin',
+                newSessionState.allowedOrigins[0]
+              )
+          }
+        }
+
        const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs

        const session = startParams?.isOnlyRegistering
@ -137,6 +152,19 @@ export const sendMessageV1 = publicProcedure
          clientSideActions,
        }
      } else {
+        if (
+          session.state.allowedOrigins &&
+          session.state.allowedOrigins.length > 0
+        ) {
+          if (origin && session.state.allowedOrigins.includes(origin))
+            res.setHeader('Access-Control-Allow-Origin', origin)
+          else
+            res.setHeader(
+              'Access-Control-Allow-Origin',
+              session.state.allowedOrigins[0]
+            )
+        }
+
        const {
          messages,
          input,
--- a/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts
+++ b/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts
@ -29,7 +29,7 @@ export const sendMessageV2 = publicProcedure
  .mutation(
    async ({
      input: { sessionId, message, startParams, clientLogs },
-      ctx: { user },
+      ctx: { user, res, origin },
    }) => {
      const session = sessionId ? await getSession(sessionId) : null

@ -104,6 +104,21 @@ export const sendMessageV2 = publicProcedure
          message,
        })

+        if (startParams.isPreview || typeof startParams.typebot !== 'string') {
+          if (
+            newSessionState.allowedOrigins &&
+            newSessionState.allowedOrigins.length > 0
+          ) {
+            if (origin && newSessionState.allowedOrigins.includes(origin))
+              res.setHeader('Access-Control-Allow-Origin', origin)
+            else
+              res.setHeader(
+                'Access-Control-Allow-Origin',
+                newSessionState.allowedOrigins[0]
+              )
+          }
+        }
+
        const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs

        const session = startParams?.isOnlyRegistering
@ -137,6 +152,18 @@ export const sendMessageV2 = publicProcedure
          clientSideActions,
        }
      } else {
+        if (
+          session.state.allowedOrigins &&
+          session.state.allowedOrigins.length > 0
+        ) {
+          if (origin && session.state.allowedOrigins.includes(origin))
+            res.setHeader('Access-Control-Allow-Origin', origin)
+          else
+            res.setHeader(
+              'Access-Control-Allow-Origin',
+              session.state.allowedOrigins[0]
+            )
+        }
        const {
          messages,
          input,