OIDC issuer behind a proxy cannot be accessed

Fixes gristlabs#942
tristanrobert · Jan 8, 2025 · e15d5e5 · e15d5e5
1 parent 337859a
commit e15d5e5
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/app/server/lib/OIDCConfig.ts b/app/server/lib/OIDCConfig.ts
@@ -181,8 +181,9 @@ export class OIDCConfig {
     this._protectionManager = new ProtectionsManager(enabledProtections);
 
     this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
+    const agent = issuerUrl !== undefined ? proxyAgent(new URL(issuerUrl)) : undefined;
     custom.setHttpOptionsDefaults({
-      ...(issuerUrl !== undefined ? {agent: proxyAgent(new URL(issuerUrl))} : {}),
+      ...(agent !== undefined ? {agent} : {}),
       ...(httpTimeout !== undefined ? {timeout: httpTimeout} : {}),
     });
     await this._initClient({ issuerUrl, clientId, clientSecret, extraMetadata });

diff --git a/test/server/lib/OIDCConfig.ts b/test/server/lib/OIDCConfig.ts
@@ -10,6 +10,7 @@ import express from "express";
 import _ from "lodash";
 import {RequestWithLogin} from "app/server/lib/Authorizer";
 import { SendAppPageFunction } from "app/server/lib/sendAppPage";
+import {HttpProxyAgent} from "http-proxy-agent";
 
 const NOOPED_SEND_APP_PAGE: SendAppPageFunction = () => Promise.resolve();
 
@@ -197,7 +198,7 @@ describe('OIDCConfig', () => {
       [
         {
           itMsg: 'when omitted should not override openid-client default value',
-          expectedUserDefinedHttpOptions: { agent: undefined }
+          expectedUserDefinedHttpOptions: { }
         },
         {
           itMsg: 'should reject when the provided value is not a number',
@@ -213,7 +214,6 @@ describe('OIDCConfig', () => {
           },
           shouldSetTimeout: true,
           expectedUserDefinedHttpOptions: {
-            agent: undefined,
             timeout: 10000
           }
         },
@@ -223,7 +223,6 @@ describe('OIDCConfig', () => {
             GRIST_OIDC_SP_HTTP_TIMEOUT: '0',
           },
           expectedUserDefinedHttpOptions: {
-            agent: undefined,
             timeout: 0
           }
         }
@@ -243,6 +242,36 @@ describe('OIDCConfig', () => {
         });
       });
     });
+
+  describe('GRIST_HTTPS_PROXY', function () {
+    const proxyURL = 'http://localhost-proxy8080';
+    const httpAgent = new HttpProxyAgent(proxyURL);
+    [
+        {
+          itMsg: 'when omitted should not set proxyAgent to oidc-client',
+          expectedUserDefinedHttpOptions: { }
+        },
+        {
+          itMsg: 'should add proxyAgent to openid-client',
+          env: {
+            GRIST_HTTPS_PROXY: proxyURL,
+          },
+          expectedUserDefinedHttpOptions: {
+            agent: httpAgent
+          }
+        }
+      ].forEach(ctx => {
+        it(ctx.itMsg, async () => {
+          const setHttpOptionsDefaultsStub = sandbox.stub(custom, 'setHttpOptionsDefaults');
+          setEnvVars();
+          Object.assign(process.env, ctx.env);
+          const promise = OIDCConfigStubbed.buildWithStub();
+          await assert.isFulfilled(promise, 'initOIDC should have been fulfilled');
+          assert.isTrue(setHttpOptionsDefaultsStub.calledOnce, 'Should have called custom.setHttpOptionsDefaults');
+          Sinon.assert.match(setHttpOptionsDefaultsStub.firstCall.args[0], ctx.expectedUserDefinedHttpOptions);
+        });
+      });
+  });
   });
 
   describe('GRIST_OIDC_IDP_ENABLED_PROTECTIONS', () => {