mirror of
https://github.com/Comfy-Org/ComfyUI_frontend.git
synced 2026-02-01 22:09:55 +00:00
9c97fb359d
## Summary Hide Google/GitHub SSO login options when the UI is accessed from **non‑local** addresses. This PR also adds a **static whitelist** (editable in code) so we can allow additional hosts if needed. Default whitelisted addresses: 1. `localhost` and any subdomain: `*.localhost` 2. IPv4 loopback `127.0.0.0/8` (e.g., `127.x.y.z`) 4. IPv6 loopback `::1` (including equivalent textual forms such as `::0001`) ## Changes - **What**: * Add `src/utils/hostWhitelist.ts` with `normalizeHost` and `isHostWhitelisted` helpers. * Update `SignInContent.vue` to **hide** SSO options when `isHostWhitelisted(normalizeHost(window.location.hostname))` returns `false`. - **Breaking**: * Users accessing from Runpod or other previously allowed **non‑local** hosts will **lose** SSO login options. If we need to keep SSO there, we should add those hosts to the whitelist in `hostWhitelist.ts`. ## Review Focus 1. Verify that logging in from local addresses (`localhost`, `*.localhost`, `127.0.0.1`, `::1`) **does not change** the current behavior: SSO is visible. 2. Verify that from a **non‑local** address, SSO options are **not** displayed. ## Screenshots (if applicable) UI opened from `192.168.2.109` address: <img width="500" height="990" alt="Screenshot From 2025-09-27 13-22-15" src="https://github.com/user-attachments/assets/c97b10a1-b069-43e4-a26b-a71eeb228a51" /> UI opened from default `127.0.0.1` address(nothing changed): <img width="462" height="955" alt="Screenshot From 2025-09-27 13-35-27" src="https://github.com/user-attachments/assets/bb2bf21c-dc8d-49cb-b48e-8fc6e408023c" /> ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-5815-feat-auth-Allow-SSO-login-only-for-whitelisted-addresses-localhost-27b6d73d365081ccbe84c034cf8e416d) by [Unito](https://www.unito.io)
124 lines
3.7 KiB
TypeScript
124 lines
3.7 KiB
TypeScript
import { describe, expect, it } from 'vitest'
|
|
|
|
import { isHostWhitelisted, normalizeHost } from '@/utils/hostWhitelist'
|
|
|
|
describe('hostWhitelist utils', () => {
|
|
describe('normalizeHost', () => {
|
|
it.each([
|
|
['LOCALHOST', 'localhost'],
|
|
['localhost.', 'localhost'], // trims trailing dot
|
|
['localhost:5173', 'localhost'], // strips :port
|
|
['127.0.0.1:5173', '127.0.0.1'], // strips :port
|
|
['[::1]:5173', '::1'], // strips brackets + :port
|
|
['[::1]', '::1'], // strips brackets
|
|
['::1', '::1'], // leaves plain IPv6
|
|
[' [::1] ', '::1'], // trims whitespace
|
|
['APP.LOCALHOST', 'app.localhost'], // lowercases
|
|
['example.com.', 'example.com'], // trims trailing dot
|
|
['[2001:db8::1]:8443', '2001:db8::1'], // IPv6 with brackets+port
|
|
['2001:db8::1', '2001:db8::1'] // plain IPv6 stays
|
|
])('normalizeHost(%o) -> %o', (input, expected) => {
|
|
expect(normalizeHost(input)).toBe(expected)
|
|
})
|
|
|
|
it('does not strip non-numeric suffixes (not a port pattern)', () => {
|
|
expect(normalizeHost('example.com:abc')).toBe('example.com:abc')
|
|
expect(normalizeHost('127.0.0.1:abc')).toBe('127.0.0.1:abc')
|
|
})
|
|
})
|
|
|
|
describe('isHostWhitelisted', () => {
|
|
describe('localhost label', () => {
|
|
it.each([
|
|
'localhost',
|
|
'LOCALHOST',
|
|
'localhost.',
|
|
'localhost:5173',
|
|
'foo.localhost',
|
|
'Foo.Localhost',
|
|
'sub.foo.localhost',
|
|
'foo.localhost:5173'
|
|
])('should allow %o', (input) => {
|
|
expect(isHostWhitelisted(input)).toBe(true)
|
|
})
|
|
|
|
it.each([
|
|
'localhost.com',
|
|
'evil-localhost',
|
|
'notlocalhost',
|
|
'foo.localhost.evil'
|
|
])('should NOT allow %o', (input) => {
|
|
expect(isHostWhitelisted(input)).toBe(false)
|
|
})
|
|
})
|
|
|
|
describe('IPv4 127/8 loopback', () => {
|
|
it.each([
|
|
'127.0.0.1',
|
|
'127.1.2.3',
|
|
'127.255.255.255',
|
|
'127.0.0.1:3000',
|
|
'127.000.000.001', // leading zeros are still digits 0-255
|
|
'127.0.0.1.' // trailing dot should be tolerated
|
|
])('should allow %o', (input) => {
|
|
expect(isHostWhitelisted(input)).toBe(true)
|
|
})
|
|
|
|
it.each([
|
|
'126.0.0.1',
|
|
'127.256.0.1',
|
|
'127.-1.0.1',
|
|
'127.0.0.1:abc',
|
|
'128.0.0.1',
|
|
'192.168.1.10',
|
|
'10.0.0.2',
|
|
'0.0.0.0',
|
|
'255.255.255.255',
|
|
'127.0.0', // malformed
|
|
'127.0.0.1.5' // malformed
|
|
])('should NOT allow %o', (input) => {
|
|
expect(isHostWhitelisted(input)).toBe(false)
|
|
})
|
|
})
|
|
|
|
describe('IPv6 loopback ::1 (all textual forms)', () => {
|
|
it.each([
|
|
'::1',
|
|
'[::1]',
|
|
'[::1]:5173',
|
|
'::0001',
|
|
'0:0:0:0:0:0:0:1',
|
|
'0000:0000:0000:0000:0000:0000:0000:0001',
|
|
// Compressed equivalents of ::1 (with zeros compressed)
|
|
'0:0::1',
|
|
'0:0:0:0:0:0::1',
|
|
'::0:1' // compressing the initial zeros (still ::1 when expanded)
|
|
])('should allow %o', (input) => {
|
|
expect(isHostWhitelisted(input)).toBe(true)
|
|
})
|
|
|
|
it.each([
|
|
'::2',
|
|
'::',
|
|
'::0',
|
|
'0:0:0:0:0:0:0:2',
|
|
'fe80::1', // link-local, not loopback
|
|
'2001:db8::1',
|
|
'::1:5173', // bracketless "port-like" suffix must not pass
|
|
':::1', // invalid (triple colon)
|
|
'0:0:0:0:0:0:::1', // invalid compression
|
|
'[::1%25lo0]',
|
|
'[::1%25lo0]:5173',
|
|
'::1%25lo0'
|
|
])('should NOT allow %o', (input) => {
|
|
expect(isHostWhitelisted(input)).toBe(false)
|
|
})
|
|
|
|
it('should reject empty/whitespace-only input', () => {
|
|
expect(isHostWhitelisted('')).toBe(false)
|
|
expect(isHostWhitelisted(' ')).toBe(false)
|
|
})
|
|
})
|
|
})
|
|
})
|