feat: private hostname guard for authenticated/private mode
Reject requests from unrecognised Host headers when running authenticated/private. Adds server middleware, CLI `allowed-hostname` command, config-schema field, and prompt support for configuring allowed hostnames during onboard/configure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
26
cli/src/config/hostnames.ts
Normal file
26
cli/src/config/hostnames.ts
Normal file
@@ -0,0 +1,26 @@
|
||||
export function normalizeHostnameInput(raw: string): string {
|
||||
const input = raw.trim();
|
||||
if (!input) {
|
||||
throw new Error("Hostname is required");
|
||||
}
|
||||
|
||||
try {
|
||||
const url = input.includes("://") ? new URL(input) : new URL(`http://${input}`);
|
||||
const hostname = url.hostname.trim().toLowerCase();
|
||||
if (!hostname) throw new Error("Hostname is required");
|
||||
return hostname;
|
||||
} catch {
|
||||
throw new Error(`Invalid hostname: ${raw}`);
|
||||
}
|
||||
}
|
||||
|
||||
export function parseHostnameCsv(raw: string): string[] {
|
||||
if (!raw.trim()) return [];
|
||||
const unique = new Set<string>();
|
||||
for (const part of raw.split(",")) {
|
||||
const hostname = normalizeHostnameInput(part);
|
||||
unique.add(hostname);
|
||||
}
|
||||
return Array.from(unique);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user