NoMongo: Fix XSS and CORS - MinIO (No Reverse Proxy Solution)

[palisadoes]

This issue requires someone with very good knowledge of the code base

This includes:

• Many merged PRs
• Meaningful updates to the repository
• Active participation in our slack channels and design document creation

---

Background

1. We created a hosted Test Website for us to evaluate the application's develop-postgres branch.
2. The implementation of this site exposed many shortcomings which are documented in our Talawa Security Improvements - 2025 document
3. This is one of the action plan issues in that document.

We discovered that web browsers using Talawa Admin independently interact with both:

1. Talawa Admin and
2. Talawa API

This creates CORS and XSS errors. This is because the Admin app tells the web browser to interact the configured REACT_APP_TALAWA_URL in its .env file versus the app itself.

Our contributors have tried to fix the issue by adding crossOrigin="anonymous" statements to the code. This works on localhost when developing on your local system, but fails when the apps are hosted remotely.

The test.talawa.io website runs the API and Admin on the same server and the errors are very noticeable. To fix the CORS and XSS errors we had to create a reverse proxy so that all:

1. /graphql queries were proxied to the API app.
2. other queries were proxied to the Admin app.

This is documented in our Demo Site Description web page

Talawa Security Improvements - 2025

This is part of our Talawa Security Improvements - 2025 efforts

Describe the bug

In summary:

1. If you install the API and Admin on different devices you get XSS and CORS errors in the browser.
2. The browser denies access to certain parts of the app with repeated 404, XSS and CORS errors
3. You don't notice it if the apps are both installed on localhost.
4. You can can verify this yourself by installing admin on your local machine and configuring Admin to use the API on test.talawa.io port 443
5. This is very noticeable with files managed by MinIO.
   1. You can see this behavior when running the apps on localhost with the frontend is on 4321 and api on 4000.
   2. The browser blocks the attachment to be shown.
   3. To solve this people have been adding crossOrigin="anonymous" statements to the code
   4. With this hack the browser doesn't send the auth headers, cookies hence avoids CORS checks.
6. This is not a quick fix. We must not bypass the CORS checks as it's not scalable and can lead to security concerns
7. The fact that this is solved by adding crossOrigin allows an unauthenticated user to hit our API and get post images, exposing a big security vulnerability, the below image will confirm this.
   
8. Reference Issues
   • NoMongo: Posts Not Loading Due to Incorrect GraphQL Query #3749 (comment)
   • NoMongo: Fix XSS and CORS #3741

Expected behavior

1. All Talawa Admin web browser traffic interacting with must only interact with the Talawa Admin app on port 4321 (or it's configured value)
2. No web browser traffic must interact with the API directly
3. No CORS and XSS errors when Admin and the API are hosted on separate servers
   1. Reverse proxy for both apps on the same server does not allow us to host the apps separately
4. There must be no need to implement a web proxy for this purpose
5. This must be 100% tested, all tests must be valid.## Actual behavior

• See above

Other

You will need to submit multiple PRs to get this done:

1. This will reduce the risk of merge conflicts
2. It will make reviews faster
3. Submit PRs per left nav/drawer function.
4. Most of the violations are in the user portal.

Potential internship candidates

Please read this if you are planning to apply for a Palisadoes Foundation internship

• Student Internship Programs talawa#359

[palisadoes]

@prayanshchh
@iamanishx
@im-vedant

FYI.

• You may want to dedicate time to this as a team
• Only one assignee, with inputs from the others

[prayanshchh]

i can take it up

we all can work together

[iamanishx]

@palisadoes almost made the docs issue will be resolved 100% sir