Skip to content

Commit

Permalink
Merge pull request #444 from dadi/feature/overridable-asset-config
Browse files Browse the repository at this point in the history
Override assets.allowFullURL at domain level
  • Loading branch information
jimlambie committed Oct 15, 2018
2 parents a22068d + 32622ab commit 3860c55
Show file tree
Hide file tree
Showing 5 changed files with 136 additions and 1 deletion.
6 changes: 6 additions & 0 deletions config.js
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,12 @@ const schema = {
format: String,
default: '',
allowDomainOverride: true
},
allowFullURL: {
doc: 'If true, assets can be loaded from any remote URL',
format: Boolean,
default: true,
allowDomainOverride: true
}
}
},
Expand Down
18 changes: 18 additions & 0 deletions dadi/lib/handlers/css.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ const CSSHandler = function (format, req, {
true
)

this.isExternalUrl = this.url.pathname.indexOf('http://') > 0 || this.url.pathname.indexOf('https://') > 0

this.isCompressed = Boolean(
this.options.compress ||
this.legacyURLOverrides.compress ||
Expand Down Expand Up @@ -66,6 +68,22 @@ CSSHandler.prototype.get = function () {
{domain: this.req.__domain}
)

// Aborting the request if full remote URL is required and not enabled.
if (
this.isExternalUrl &&
(
!config.get('assets.remote.enabled', this.req.__domain) ||
!config.get('assets.remote.allowFullURL', this.req.__domain)
)
) {
let err = {
statusCode: 403,
message: 'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
}

return Promise.reject(err)
}

return this.storageHandler.get().then(stream => {
return this.transform(stream)
}).then(stream => {
Expand Down
18 changes: 18 additions & 0 deletions dadi/lib/handlers/default.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ const DefaultHandler = function (format, req, {
true
)

this.isExternalUrl = this.url.pathname.indexOf('http://') > 0 || this.url.pathname.indexOf('https://') > 0

this.cache = Cache()
this.cacheKey = [req.__domain, this.url.href]

Expand Down Expand Up @@ -52,6 +54,22 @@ DefaultHandler.prototype.get = function () {
{domain: this.req.__domain}
)

// Aborting the request if full remote URL is required and not enabled.
if (
this.isExternalUrl &&
(
!config.get('assets.remote.enabled', this.req.__domain) ||
!config.get('assets.remote.allowFullURL', this.req.__domain)
)
) {
let err = {
statusCode: 403,
message: 'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
}

return Promise.reject(err)
}

return this.storageHandler.get().then(stream => {
return this.cache.cacheFile(stream, this.cacheKey, {
ttl: config.get('caching.ttl', this.req.__domain)
Expand Down
18 changes: 18 additions & 0 deletions dadi/lib/handlers/js.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ const JSHandler = function (format, req, {
true
)

this.isExternalUrl = this.url.pathname.indexOf('http://') > 0 || this.url.pathname.indexOf('https://') > 0

this.cache = Cache()
this.cacheKey = [req.__domain, this.url.href]

Expand Down Expand Up @@ -63,6 +65,22 @@ JSHandler.prototype.get = function () {
{domain: this.req.__domain}
)

// Aborting the request if full remote URL is required and not enabled.
if (
this.isExternalUrl &&
(
!config.get('assets.remote.enabled', this.req.__domain) ||
!config.get('assets.remote.allowFullURL', this.req.__domain)
)
) {
let err = {
statusCode: 403,
message: 'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
}

return Promise.reject(err)
}

return this.storageHandler.get().then(stream => {
return this.transform(stream)
}).then(stream => {
Expand Down
77 changes: 76 additions & 1 deletion test/acceptance/multi-domain.js
Original file line number Diff line number Diff line change
Expand Up @@ -333,7 +333,7 @@ describe('Multi-domain', function () {
})
}).timeout(5000)

it('should use the allowFullURL setting defined at domain level to determine whether or not a request with a full remote URL will be served', done => {
it('should use the images.allowFullURL setting defined at domain level to determine whether or not a request with a full remote URL will be served', done => {
config.set('images.remote.allowFullURL', true, 'localhost')
config.set('images.remote.allowFullURL', false, 'testdomain.com')

Expand All @@ -358,6 +358,81 @@ describe('Multi-domain', function () {
})
}).timeout(5000)

it('should use the assets.allowFullURL setting defined at domain level to determine whether or not a CSS request with a full remote URL will be served', done => {
config.set('assets.remote.allowFullURL', true, 'localhost')
config.set('assets.remote.allowFullURL', false, 'testdomain.com')

request(cdnUrl)
.get('/http://one.somedomain.tech/test.css')
.set('Host', 'localhost:80')
.expect(200)
.end((err, res) => {
res.headers['content-type'].should.eql('text/css')

request(cdnUrl)
.get('/http://one.somedomain.tech/test.css')
.set('Host', 'testdomain.com:80')
.end((err, res) => {
res.statusCode.should.eql(403)
res.body.message.should.eql(
'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
)

done()
})
})
}).timeout(5000)

it('should use the assets.allowFullURL setting defined at domain level to determine whether or not a JS request with a full remote URL will be served', done => {
config.set('assets.remote.allowFullURL', true, 'localhost')
config.set('assets.remote.allowFullURL', false, 'testdomain.com')

request(cdnUrl)
.get('/http://one.somedomain.tech/test.js')
.set('Host', 'localhost:80')
.expect(200)
.end((err, res) => {
res.headers['content-type'].should.eql('application/javascript')

request(cdnUrl)
.get('/http://one.somedomain.tech/test.js')
.set('Host', 'testdomain.com:80')
.end((err, res) => {
res.statusCode.should.eql(403)
res.body.message.should.eql(
'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
)

done()
})
})
}).timeout(5000)

it('should use the assets.allowFullURL setting defined at domain level to determine whether or not a default request with a full remote URL will be served', done => {
config.set('assets.remote.allowFullURL', true, 'localhost')
config.set('assets.remote.allowFullURL', false, 'testdomain.com')

request(cdnUrl)
.get('/http://one.somedomain.tech/test.txt')
.set('Host', 'localhost:80')
.expect(200)
.end((err, res) => {
res.headers['content-type'].should.eql('text/plain')

request(cdnUrl)
.get('/http://one.somedomain.tech/test.txt')
.set('Host', 'testdomain.com:80')
.end((err, res) => {
res.statusCode.should.eql(403)
res.body.message.should.eql(
'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
)

done()
})
})
}).timeout(5000)

describe('when the target domain is not configured', () => {
let testDomain = 'unknowndomain.com'

Expand Down

0 comments on commit 3860c55

Please sign in to comment.