Remove the GRIST_ALLOWED_HOSTS environment variable #899
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
While reviewing @fflorent 's #895 and discussing with various people at ANCT we realized that the
GRIST_ALLOWED_HOSTS
environment variable was added in a PR submitted in 2022 by another developer working at the time with ANCT : #287.It turns out that the use case that originally motivated the PR (#271) is now covered in two ways:
GRIST_ALLOWED_HOSTS
, making an API key available in a client, which is definitely something one wants to discourage as pointed out by @dsagal in env var for controling allowed origins ? #271 (comment). Indeed we saw this mistake occur in the very web app that motivated the addition ofGRIST_ALLOWED_HOSTS
(the exposed API key has since been revoked).We are now confident that we do not need this variable and have removed it from our deployment. Given the specificity of the use case it enables, and the lack of adequate documentation as evidenced by #895, it seems doubtful that any other Grist deployment would currently be depending on it, although it is of course difficult to be certain.
We also estimate that keeping it available in Grist has multiple downsides:
GRIST_ALLOWED_HOSTS
played a significant part in my bafflement while trying to implement origin checking for Support HTTP long polling as an alternative to WebSockets #859);GRIST_ALLOWED_HOSTS
to bypass an otherwise broken configuration ofAPP_HOME_URL
and the other relevant variables (which are unfortunately numerous).Proposed solution
This PR mostly reverts commit 49b1749. A few notes on what was kept:
allowHost
, the logic introduced by Add function to allow hosts from environment variables #287 that allows a domain name that doesn't match the standard<orgname>.<basedomain>.<tld>
pattern enforced byparseSubdomain
to match itself was kept, although with simplified logic that does not involvelodash
. This might not be necessary, since requests whoseHost
match theirOrigin
are by definition not cross-origin, and would therefore not end up inallowHost
, but was kept out of an abundance of caution.matchesBaseDomain
function seemeed like an unrelated but useful addition of Add function to allow hosts from environment variables #287 (notably making the checks againstALLOWED_WEBHOOK_DOMAINS
more robust), so it was kept as well.