Remove `SERVER_NAME` config for the duration of requests

* because otherwise, `url_for()` will prefer that value over the HTTP Host header value * this causes issues for us with our multi-domain setup, in conjunction with the OIDC redirects - given that `SERVER_NAME` can only be a scalar value, trying to login on a secondary domain will redirect to the primary one and typically fail (because sessions are different, etc.) * also make sure that the `APP_ALLOWED_HOSTS` config contains the `SERVER_NAME` if set

Remove `SERVER_NAME` config for the duration of requests
e2cd5b79 · Moser, Maximilian · a99e0e44 · e2cd5b79
Commit e2cd5b79 authored 9 months ago by Moser, Maximilian
--- a/invenio_config_tuw/ext.py
+++ b/invenio_config_tuw/ext.py
@@ -42,14 +42,40 @@ class InvenioConfigTUW(object):
        """Flask application initialization."""
        self.init_config(app)
        self.init_minify(app)
+        self.handle_server_name(app)
        app.extensions["invenio-config-tuw"] = self
-        @app.before_first_request
+    def handle_server_name(self, app):
-        def hack_app_config():
+        """Pop the `SERVER_NAME` configuration item between requests.
-            # replace the app's config with our own override that evaluates the
-            # LocalProxy objects used for SITE_{API,UI}_URL by casting them into strings
+        This can be useful in multi-domain setups where for some reason, absolute
-            # (which is their expected type)
+        URLs with the currently requested hostname need to be generated inside an
-            app.config = TUWConfig.from_flask_config(app.config)
+        active request context (e.g. OIDC redirect URIs).
+        It seems like if `SERVER_NAME` is set, it will take precedence over
+        HTTP `Host` when calling `url_for()`.
+        """
+        self.server_name = app.config.get("SERVER_NAME", None)
+        # since allowing the client to set arbitrary vlaues of the HTTP Host header
+        # field can lead to arbitrary redirects, it's important to keep track of
+        # allowed values
+        allowed_hosts = app.config.get("APP_ALLOWED_HOSTS", [])
+        if self.server_name and self.server_name not in allowed_hosts:
+            allowed_hosts.append(self.server_name)
+        app.config["APP_ALLOWED_HOSTS"] = app.config["ALLOWED_HOSTS"] = allowed_hosts
+        @app.before_request
+        def pop_server_name():
+            """Unset `SERVER_NAME` to prefer the HOST HTTP header value."""
+            self.server_name = app.config.get("SERVER_NAME", None)
+            app.config["SERVER_NAME"] = None
+        @app.after_request
+        def restore_server_name(response):
+            """Restore `SERVER_NAME` enable creating URLs outside of requests."""
+            app.config.setdefault("SERVER_NAME", self.server_name)
+            return response
    def init_config(self, app):
        """Initialize configuration."""