Login page only X-FRame-Options header

2023-01-24 19:53:25 +05:30 · 2023-01-24 19:53:25 +05:30 · 684ec40526
parent 97fee864bf
commit 684ec40526
2 changed files with 25 additions and 12 deletions
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@ -1,13 +1,21 @@
 import { collectEvents } from "next-collect/server";
 import { NextMiddleware, NextResponse, userAgent } from "next/server";

-import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
+import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL, IS_SELF_HOSTED } from "@calcom/lib/constants";
 import { isIpInBanlist } from "@calcom/lib/getIP";
 import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";

 const middleware: NextMiddleware = async (req) => {
  const url = req.nextUrl;

+  //TODO: Might be a good idea to extract out all conditions where IS_SELF_HOSTED is handled in a Cal.config.ts file, so that self hosters can also enable this features just by modifying that config
+  if (url.pathname.startsWith("/auth/login") && !IS_SELF_HOSTED) {
+    console.log("Redirecting to login page");
+    const response = NextResponse.next();
+    response.headers.set("X-Frame-Options", "SAMEORIGIN");
+    return response;
+  }
+
  if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
    const callbackUrl = url.searchParams.get("callbackUrl");
    const { isBot } = userAgent(req);
@ -40,7 +48,13 @@ const middleware: NextMiddleware = async (req) => {
 };

 export const config = {
-  matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"],
+  matcher: [
+    "/api/collect-events/:path*",
+    "/api/auth/:path*",
+    "/apps/routing_forms/:path*",
+    "/:path*/embed",
+    "/auth/login",
+  ],
 };

 export default collectEvents({
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@ -263,28 +263,27 @@ const nextConfig = {
    return redirects;
  },
  async headers() {
-    const ContentSecurityPolicy = `
+    const ContentSecurityPolicyForCalHosted = `
      default-src 'self';
      script-src 'self';
      child-src app.cal.com;
      style-src 'self' app.cal.com;
      font-src 'self';  
    `;
-    return [
-      {
+    const redirects = [];
+
+    if (process.env.NEXT_PUBLIC_WEBAPP_URL === "https://app.cal.com") {
+      redirects.push({
        source: "/:path*",
        headers: [
-          {
-            key: "X-Frame-Options",
-            value: "SAMEORIGIN",
-          },
          {
            key: "Content-Security-Policy",
-            value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(),
+            value: ContentSecurityPolicyForCalHosted.replace(/\s{2,}/g, " ").trim(),
          },
        ],
-      },
-    ];
+      });
+    }
+    return redirects;
  },
 };