From b438c174c44ebff12f131777a842868baf3c93a0 Mon Sep 17 00:00:00 2001 From: Baptiste Arnaud Date: Fri, 19 Jan 2024 14:41:43 +0100 Subject: [PATCH] :passport_control: Enable allowed origins security to depreceated sendMessage endpoints --- .../features/chat/api/legacy/sendMessageV1.ts | 30 ++++++++++++++++++- .../features/chat/api/legacy/sendMessageV2.ts | 29 +++++++++++++++++- 2 files changed, 57 insertions(+), 2 deletions(-) diff --git a/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts b/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts index 06a0e175d..4d7d7d590 100644 --- a/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts +++ b/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts @@ -29,7 +29,7 @@ export const sendMessageV1 = publicProcedure .mutation( async ({ input: { sessionId, message, startParams, clientLogs }, - ctx: { user }, + ctx: { user, origin, res }, }) => { const session = sessionId ? await getSession(sessionId) : null @@ -104,6 +104,21 @@ export const sendMessageV1 = publicProcedure message, }) + if (startParams.isPreview || typeof startParams.typebot !== 'string') { + if ( + newSessionState.allowedOrigins && + newSessionState.allowedOrigins.length > 0 + ) { + if (origin && newSessionState.allowedOrigins.includes(origin)) + res.setHeader('Access-Control-Allow-Origin', origin) + else + res.setHeader( + 'Access-Control-Allow-Origin', + newSessionState.allowedOrigins[0] + ) + } + } + const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs const session = startParams?.isOnlyRegistering @@ -137,6 +152,19 @@ export const sendMessageV1 = publicProcedure clientSideActions, } } else { + if ( + session.state.allowedOrigins && + session.state.allowedOrigins.length > 0 + ) { + if (origin && session.state.allowedOrigins.includes(origin)) + res.setHeader('Access-Control-Allow-Origin', origin) + else + res.setHeader( + 'Access-Control-Allow-Origin', + session.state.allowedOrigins[0] + ) + } + const { messages, input, diff --git a/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts b/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts index 04c5c94e9..9d8655d4e 100644 --- a/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts +++ b/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts @@ -29,7 +29,7 @@ export const sendMessageV2 = publicProcedure .mutation( async ({ input: { sessionId, message, startParams, clientLogs }, - ctx: { user }, + ctx: { user, res, origin }, }) => { const session = sessionId ? await getSession(sessionId) : null @@ -104,6 +104,21 @@ export const sendMessageV2 = publicProcedure message, }) + if (startParams.isPreview || typeof startParams.typebot !== 'string') { + if ( + newSessionState.allowedOrigins && + newSessionState.allowedOrigins.length > 0 + ) { + if (origin && newSessionState.allowedOrigins.includes(origin)) + res.setHeader('Access-Control-Allow-Origin', origin) + else + res.setHeader( + 'Access-Control-Allow-Origin', + newSessionState.allowedOrigins[0] + ) + } + } + const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs const session = startParams?.isOnlyRegistering @@ -137,6 +152,18 @@ export const sendMessageV2 = publicProcedure clientSideActions, } } else { + if ( + session.state.allowedOrigins && + session.state.allowedOrigins.length > 0 + ) { + if (origin && session.state.allowedOrigins.includes(origin)) + res.setHeader('Access-Control-Allow-Origin', origin) + else + res.setHeader( + 'Access-Control-Allow-Origin', + session.state.allowedOrigins[0] + ) + } const { messages, input,