don't pass through headers from the incoming req

when implementing #228 I accidentally passed through all the headers by using _.extend. fixes #237: this bug was caused by passing through the `host` header, which will lead to the api proxy trying to make an https request against the http render app instead of the actually configured api host which expects the https connection
rendrjs · Dec 23, 2013 · 318bfe2 · 318bfe2
1 parent 957afbe
commit 318bfe2
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/server/middleware/apiProxy.js b/server/middleware/apiProxy.js
@@ -20,8 +20,9 @@ function apiProxy(dataAdapter) {
 
     api.path = apiProxy.getApiPath(req.path);
     api.api = apiProxy.getApiName(req.path);
-    api.headers = apiProxy.addXForwardedForHeader(
-      req.headers, req.ip);
+    api.headers = {
+      'x-forwarded-for': apiProxy.getXForwardedForHeader(req.headers, req.ip)
+    };
 
     dataAdapter.request(req, api, {
       convertErrorCode: false
@@ -50,13 +51,13 @@ apiProxy.getApiName = function getApiName(path) {
   return apiName;
 };
 
-apiProxy.addXForwardedForHeader = function (headers, clientIp) {
+apiProxy.getXForwardedForHeader = function (headers, clientIp) {
   var existingHeader = headers['x-forwarded-for'],
       newHeaderValue = clientIp;
 
   if (existingHeader) {
     newHeaderValue = existingHeader + ', ' + clientIp;
   }
 
-  return _.extend({}, headers, {'x-forwarded-for': newHeaderValue});
+  return newHeaderValue;
 };
diff --git a/test/server/middleware/apiProxy.test.js b/test/server/middleware/apiProxy.test.js
@@ -11,7 +11,11 @@ describe('apiProxy', function() {
 
     beforeEach(function () {
       requestToApi = sinon.stub();
-      requestFromClient = { path: '/', headers: {}, connection: {} },
+      requestFromClient = {
+        path: '/',
+        headers: { 'host': 'any.host.name', },
+        connection: {}
+      },
       dataAdater = { request: requestToApi },
       proxy = apiProxy(dataAdater),
       responseToClient = { status: sinon.spy(), json: sinon.spy() };
@@ -67,6 +71,13 @@ describe('apiProxy', function() {
         incomingHeaders['x-forwarded-for']);
     });
 
+
+   it('should not pass through the host header', function () {
+      proxy(requestFromClient, responseToClient);
+      outgoingHeaders = requestToApi.firstCall.args[1].headers;
+      outgoingHeaders.should.not.contain.key('host');
+   });
+
   });
 
   describe('getApiPath', function() {