🛂 Enable allowed origins security to depreceated sendMessage endpoints

baptisteArno · Jan 19, 2024 · b438c17 · b438c17
1 parent 29bd5f1
commit b438c17
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 2 deletions.
diff --git a/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts b/apps/viewer/src/features/chat/api/legacy/sendMessageV1.ts
@@ -29,7 +29,7 @@ export const sendMessageV1 = publicProcedure
   .mutation(
     async ({
       input: { sessionId, message, startParams, clientLogs },
-      ctx: { user },
+      ctx: { user, origin, res },
     }) => {
       const session = sessionId ? await getSession(sessionId) : null
 
@@ -104,6 +104,21 @@ export const sendMessageV1 = publicProcedure
           message,
         })
 
+        if (startParams.isPreview || typeof startParams.typebot !== 'string') {
+          if (
+            newSessionState.allowedOrigins &&
+            newSessionState.allowedOrigins.length > 0
+          ) {
+            if (origin && newSessionState.allowedOrigins.includes(origin))
+              res.setHeader('Access-Control-Allow-Origin', origin)
+            else
+              res.setHeader(
+                'Access-Control-Allow-Origin',
+                newSessionState.allowedOrigins[0]
+              )
+          }
+        }
+
         const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs
 
         const session = startParams?.isOnlyRegistering
@@ -137,6 +152,19 @@ export const sendMessageV1 = publicProcedure
           clientSideActions,
         }
       } else {
+        if (
+          session.state.allowedOrigins &&
+          session.state.allowedOrigins.length > 0
+        ) {
+          if (origin && session.state.allowedOrigins.includes(origin))
+            res.setHeader('Access-Control-Allow-Origin', origin)
+          else
+            res.setHeader(
+              'Access-Control-Allow-Origin',
+              session.state.allowedOrigins[0]
+            )
+        }
+
         const {
           messages,
           input,

diff --git a/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts b/apps/viewer/src/features/chat/api/legacy/sendMessageV2.ts
@@ -29,7 +29,7 @@ export const sendMessageV2 = publicProcedure
   .mutation(
     async ({
       input: { sessionId, message, startParams, clientLogs },
-      ctx: { user },
+      ctx: { user, res, origin },
     }) => {
       const session = sessionId ? await getSession(sessionId) : null
 
@@ -104,6 +104,21 @@ export const sendMessageV2 = publicProcedure
           message,
         })
 
+        if (startParams.isPreview || typeof startParams.typebot !== 'string') {
+          if (
+            newSessionState.allowedOrigins &&
+            newSessionState.allowedOrigins.length > 0
+          ) {
+            if (origin && newSessionState.allowedOrigins.includes(origin))
+              res.setHeader('Access-Control-Allow-Origin', origin)
+            else
+              res.setHeader(
+                'Access-Control-Allow-Origin',
+                newSessionState.allowedOrigins[0]
+              )
+          }
+        }
+
         const allLogs = clientLogs ? [...(logs ?? []), ...clientLogs] : logs
 
         const session = startParams?.isOnlyRegistering
@@ -137,6 +152,18 @@ export const sendMessageV2 = publicProcedure
           clientSideActions,
         }
       } else {
+        if (
+          session.state.allowedOrigins &&
+          session.state.allowedOrigins.length > 0
+        ) {
+          if (origin && session.state.allowedOrigins.includes(origin))
+            res.setHeader('Access-Control-Allow-Origin', origin)
+          else
+            res.setHeader(
+              'Access-Control-Allow-Origin',
+              session.state.allowedOrigins[0]
+            )
+        }
         const {
           messages,
           input,