You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, URLs used for callbacks and validation (e.g., Twilio or auth) are a combination of using General.PublicURL and trying to rebuild the incoming URL from HTTP headers like host, forwarded scheme, and referer.
We should switch to using the public URL for validation and URL generation, with the added ability to override/set the Public URL by a command-line flag, falling back to the DB config value.
This will prevent issues with reverse proxies sending the wrong headers and causing hard to debug problems. We should also update the OIDC code to always issue a redirect to the Public URL instead of relying on the referer & whitelist. With the ability to set a per-instance public URL it will still be possible to achieve what was needed with the whitelist.
Work's been started in the branch strict-url-validation using just the Public URL via command line flag (taking precedence over General.PublicURL) and adding deprecation support to show it as deprecated in the UI
The text was updated successfully, but these errors were encountered:
Currently, URLs used for callbacks and validation (e.g., Twilio or auth) are a combination of using
General.PublicURLand trying to rebuild the incoming URL from HTTP headers like host, forwarded scheme, and referer.We should switch to using the public URL for validation and URL generation, with the added ability to override/set the Public URL by a command-line flag, falling back to the DB config value.
This will prevent issues with reverse proxies sending the wrong headers and causing hard to debug problems. We should also update the OIDC code to always issue a redirect to the Public URL instead of relying on the referer & whitelist. With the ability to set a per-instance public URL it will still be possible to achieve what was needed with the whitelist.
Work's been started in the branch
strict-url-validationusing just the Public URL via command line flag (taking precedence overGeneral.PublicURL) and adding deprecation support to show it as deprecated in the UIThe text was updated successfully, but these errors were encountered: