maronato/cal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Login page only X-FRame-Options header

This commit is contained in:
Hariom Balhara 2023-01-24 19:53:25 +05:30
parent 97fee864bf
commit 684ec40526
2 changed files with 25 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apps/web/middleware.ts
View File

@ -1,13 +1,21 @@
import { collectEvents } from "next-collect/server"; import { collectEvents } from "next-collect/server";
import { NextMiddleware, NextResponse, userAgent } from "next/server"; import { NextMiddleware, NextResponse, userAgent } from "next/server";
import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants"; import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL, IS_SELF_HOSTED } from "@calcom/lib/constants";
import { isIpInBanlist } from "@calcom/lib/getIP"; import { isIpInBanlist } from "@calcom/lib/getIP";
import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry"; import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
const middleware: NextMiddleware = async (req) => { const middleware: NextMiddleware = async (req) => {
const url = req.nextUrl; const url = req.nextUrl;
//TODO: Might be a good idea to extract out all conditions where IS_SELF_HOSTED is handled in a Cal.config.ts file, so that self hosters can also enable this features just by modifying that config
if (url.pathname.startsWith("/auth/login") && !IS_SELF_HOSTED) {
console.log("Redirecting to login page");
const response = NextResponse.next();
response.headers.set("X-Frame-Options", "SAMEORIGIN");
return response;
}
if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) { if (["/api/collect-events", "/api/auth"].some((p) => url.pathname.startsWith(p))) {
const callbackUrl = url.searchParams.get("callbackUrl"); const callbackUrl = url.searchParams.get("callbackUrl");
const { isBot } = userAgent(req); const { isBot } = userAgent(req);
@ -40,7 +48,13 @@ const middleware: NextMiddleware = async (req) => {
}; };
export const config = { export const config = {
matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"], matcher: [
"/api/collect-events/:path*",
"/api/auth/:path*",
"/apps/routing_forms/:path*",
"/:path*/embed",
"/auth/login",
],
}; };
export default collectEvents({ export default collectEvents({

19
apps/web/next.config.js
View File

@ -263,28 +263,27 @@ const nextConfig = {
return redirects; return redirects;
}, },
async headers() { async headers() {
const ContentSecurityPolicy = ` const ContentSecurityPolicyForCalHosted = `
default-src 'self'; default-src 'self';
script-src 'self'; script-src 'self';
child-src app.cal.com; child-src app.cal.com;
style-src 'self' app.cal.com; style-src 'self' app.cal.com;
font-src 'self'; font-src 'self';
`; `;
return [ const redirects = [];
{
if (process.env.NEXT_PUBLIC_WEBAPP_URL === "https://app.cal.com") {
redirects.push({
source: "/:path*", source: "/:path*",
headers: [ headers: [
{
key: "X-Frame-Options",
value: "SAMEORIGIN",
},
{ {
key: "Content-Security-Policy", key: "Content-Security-Policy",
value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(), value: ContentSecurityPolicyForCalHosted.replace(/\s{2,}/g, " ").trim(),
}, },
], ],
}, });
]; }
return redirects;
}, },
}; };