handle same-domain requests

auth0 · Jul 25, 2017 · 5b4c179 · 5b4c179
1 parent 675e7f1
commit 5b4c179
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -84,7 +84,7 @@ JwtModule.forRoot({
 
 ### `whitelistedDomains: array`
 
-Authenticated requests should only be sent to domains you know and trust. Many applications make requests to APIs from multiple domains, some of which are not controlled by the developer. Since there is no way to know what the API being called will do with the information contained in the request, it is best to not send the user's token to unintended APIs.
+Authenticated requests should only be sent to domains you know and trust. Many applications make requests to APIs from multiple domains, some of which are not controlled by the developer. Since there is no way to know what the API being called will do with the information contained in the request, it is best to not send the user's token any and all APIs in a blind fashion.
 
 List any domains you wish to allow authenticated requests to be sent to by specifying them in the the `whitelistedDomains` array.
 
@@ -98,6 +98,25 @@ JwtModule.forRoot({
 })
 ```
 
+**Note:** If requests are sent to the same domain that is serving your Angular application, you do not need to add that domain to the `whitelistedDomains` array. However, this is only the case if you don't specify the domain in the `Http` request.
+
+For example, the following request assumes that the domain is the same as the one serving your app. It doesn't need to be whitelisted in this case.
+
+```ts
+this.http.get('/api/things')
+  .subscribe(...)
+```
+
+However, if you are serving your API at the same domain as that which is serving your Angular app **and** you are specifying that domain in `Http` requests, then it **does** need to be whitelisted.
+
+```ts
+// Both the Angular app and the API are served at
+// localhost:4200 but because that domain is specified
+// in the request, it must be whitelisted
+this.http.get('http://localhost:4200/api/things')
+  .subscribe(...)
+```
+
 ### `headerName: string`
 
 The default header name is `Authorization`. This can be changed by specifying a custom `headerName` which is to be a string value.

diff --git a/index.ts b/index.ts
@@ -12,7 +12,7 @@ export interface JwtModuleOptions {
     tokenGetter: () => string;
     headerName?: string;
     tokenName?: string;
-    whitelistedDomains: Array<string>;
+    whitelistedDomains?: Array<string>;
     throwNoTokenError: boolean;
     skipWhenExpired?: boolean;
   }

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@auth0/angular-jwt",
-  "version": "1.0.0-beta.3",
+  "version": "1.0.0-beta.4",
   "description": "JSON Web Token helper library for Angular",
   "scripts": {
     "prepublish": "ngc && npm run build",

diff --git a/src/jwt.interceptor.ts b/src/jwt.interceptor.ts
@@ -31,8 +31,16 @@ export class JwtInterceptor implements HttpInterceptor {
   }
 
   isWhitelistedDomain(request: HttpRequest<any>): boolean {
-    const requestUrl: URL = new URL(request.url);
-    return this.whitelistedDomains.indexOf(requestUrl.host) > -1;
+    let requestUrl: URL;
+    try {
+      requestUrl = new URL(request.url);
+      return this.whitelistedDomains.indexOf(requestUrl.host) > -1;
+    } catch (err) {
+      // if we're here, the request is made
+      // to the same domain as the Angular app
+      // so it's safe to proceed
+      return true;
+    }
   }
 
   intercept(