85c0b9a3dc
Reject requests from unrecognised Host headers when running authenticated/private. Adds server middleware, CLI `allowed-hostname` command, config-schema field, and prompt support for configuring allowed hostnames during onboard/configure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
27 lines
730 B
TypeScript
27 lines
730 B
TypeScript
export function normalizeHostnameInput(raw: string): string {
|
|
const input = raw.trim();
|
|
if (!input) {
|
|
throw new Error("Hostname is required");
|
|
}
|
|
|
|
try {
|
|
const url = input.includes("://") ? new URL(input) : new URL(`http://${input}`);
|
|
const hostname = url.hostname.trim().toLowerCase();
|
|
if (!hostname) throw new Error("Hostname is required");
|
|
return hostname;
|
|
} catch {
|
|
throw new Error(`Invalid hostname: ${raw}`);
|
|
}
|
|
}
|
|
|
|
export function parseHostnameCsv(raw: string): string[] {
|
|
if (!raw.trim()) return [];
|
|
const unique = new Set<string>();
|
|
for (const part of raw.split(",")) {
|
|
const hostname = normalizeHostnameInput(part);
|
|
unique.add(hostname);
|
|
}
|
|
return Array.from(unique);
|
|
}
|
|
|