Reintroduce express to proxy to rails app #4225
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| onProxyRes: (proxyRes, request, response) => { | ||
| const redir = proxyRes.headers['location']; | ||
| if (redir) { | ||
| const host = parse(redir).host; |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Avoid using url.parse() as it may cause security issues. Consider using the URL class instead.
Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/nodejs-insecure-url-parse.yaml
Cc @thypon @fmarier
| const host = parse(redir).host; | ||
| if (`https://${host}` == pubHost) { | ||
| const newRedirUrlToProxy = `${nextHost}${ | ||
| parse(redir).pathname |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Avoid using url.parse() as it may cause security issues. Consider using the URL class instead.
Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/nodejs-insecure-url-parse.yaml
Cc @thypon @fmarier
| app | ||
| .prepare() | ||
| .then(() => { | ||
| const expressApp = express(); |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] A CSRF middleware was not detected in your express application. Ensure you are either using one such as csurf or csrf (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.
Source: https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
Cc @thypon @bcaller
|
Is there any flow diagram of the next/rails forwarding? Cc @bcaller |
This express proxy will take care of rewriting redirects coming back from rails which will redirect to itself. We want instead to redirect back to our Next proxy.