Add tenant.AllowedSchemes advanced configuration item (#1332)

* Add tenant.AllowedSchemes advanced configuration item

Specifying ^monero:[48] or ^bitcoin:(1|3|bc1) allows cryptocurrency
payment links

These were rendered but then sanitised away to <a>...</a> w/o href=

Ref: https://bounties.monero.social/posts/15/1-200m-monero-bounties-site-parse-donation-address-as-link

* Ship the config via useFider()

* Work around useContext() restrixion in test

* Disable allowed schemes by setting ALLOW_ALLOWED_SCHEMES=false

* Hide Allowed URL Schemes config if disabled

* Bump migration date

Author: nabijaczleweli

.example.env

@@ -2,6 +2,7 @@ BASE_URL=http://localhost:3000
 GO_ENV=development
 DATABASE_URL=postgres://fider:fider_pw@localhost:5555/fider?sslmode=disable
 JWT_SECRET=hsjl]W;&ZcHxT&FK;s%bgIQF:#ch=~#Al4:5]N;7V<qPZ3e9lT4'%;go;LIkc%k
+# ALLOW_ALLOWED_SCHEMES=false
 
 LOG_LEVEL=DEBUG
 LOG_CONSOLE=true

app/actions/tenant.go

@@ -177,7 +177,8 @@ func (action *UpdateTenantSettings) Validate(ctx context.Context, user *entity.U
 
 // UpdateTenantAdvancedSettings is the input model used to update tenant advanced settings
 type UpdateTenantAdvancedSettings struct {
-	CustomCSS string `json:"customCSS"`
+	CustomCSS      string `json:"customCSS"`
+	AllowedSchemes string `json:"allowedSchemes"`
 }
 
 // IsAuthorized returns true if current user is authorized to perform this action

app/handlers/admin.go

@@ -32,6 +32,7 @@ func AdvancedSettingsPage() web.HandlerFunc {
 			Title: "Advanced · Site Settings",
 			Data: web.Map{
 				"customCSS": c.Tenant().CustomCSS,
+				"allowedSchemes": c.Tenant().AllowedSchemes,
 			},
 		})
 	}
@@ -84,6 +85,7 @@ func UpdateAdvancedSettings() web.HandlerFunc {
 
 		if err := bus.Dispatch(c, &cmd.UpdateTenantAdvancedSettings{
 			CustomCSS: action.CustomCSS,
+			AllowedSchemes: action.AllowedSchemes,
 		}); err != nil {
 			return c.Failure(err)
 		}

app/models/cmd/tenant.go

@@ -35,7 +35,8 @@ type UpdateTenantSettings struct {
 }
 
 type UpdateTenantAdvancedSettings struct {
-	CustomCSS string
+	CustomCSS      string
+	AllowedSchemes string
 }
 
 type ActivateTenant struct {

app/models/entity/tenant.go

@@ -15,6 +15,7 @@ type Tenant struct {
 	IsPrivate          bool              `json:"isPrivate"`
 	LogoBlobKey        string            `json:"logoBlobKey"`
 	CustomCSS          string            `json:"-"`
+	AllowedSchemes     string            `json:"allowedSchemes"`
 	IsEmailAuthAllowed bool              `json:"isEmailAuthAllowed"`
 	IsFeedEnabled      bool              `json:"isFeedEnabled"`
 	PreventIndexing    bool              `json:"preventIndexing"`

app/pkg/env/env.go

@@ -54,6 +54,7 @@ type config struct {
 	Locale                      string `env:"LOCALE,default=en"`
 	JWTSecret                   string `env:"JWT_SECRET,required"`
 	PostCreationWithTagsEnabled bool   `env:"POST_CREATION_WITH_TAGS_ENABLED,default=false"`
+	AllowAllowedSchemes         bool   `env:"ALLOW_ALLOWED_SCHEMES,default=true"`
 	Paddle                      struct {
 		IsSandbox      bool   `env:"PADDLE_SANDBOX,default=false"`
 		VendorID       string `env:"PADDLE_VENDOR_ID"`

app/pkg/web/renderer.go

@@ -204,18 +204,19 @@ func (r *Renderer) Render(w io.Writer, statusCode int, props Props, ctx *Context
 	public["tenant"] = tenant
 	public["props"] = props.Data
 	public["settings"] = &Map{
-		"mode":             env.Config.HostMode,
-		"locale":           locale,
-		"localeDirection":  localeDirection,
-		"environment":      env.Config.Environment,
-		"googleAnalytics":  env.Config.GoogleAnalytics,
-		"domain":           env.MultiTenantDomain(),
-		"hasLegal":         env.HasLegal(),
-		"isBillingEnabled": env.IsBillingEnabled(),
-		"baseURL":          ctx.BaseURL(),
-		"assetsURL":        AssetsURL(ctx, ""),
-		"oauth":            oauthProviders.Result,
-		"postWithTags":     env.Config.PostCreationWithTagsEnabled,
+		"mode":                env.Config.HostMode,
+		"locale":              locale,
+		"localeDirection":     localeDirection,
+		"environment":         env.Config.Environment,
+		"googleAnalytics":     env.Config.GoogleAnalytics,
+		"domain":              env.MultiTenantDomain(),
+		"hasLegal":            env.HasLegal(),
+		"isBillingEnabled":    env.IsBillingEnabled(),
+		"baseURL":             ctx.BaseURL(),
+		"assetsURL":           AssetsURL(ctx, ""),
+		"oauth":               oauthProviders.Result,
+		"postWithTags":        env.Config.PostCreationWithTagsEnabled,
+		"allowAllowedSchemes": env.Config.AllowAllowedSchemes,
 	}
 
 	if ctx.IsAuthenticated() {

app/pkg/web/testdata/basic.html

@@ -45,7 +45,7 @@ <h2 class="text-display2">Please enable JavaScript</h2>
 
   <script id="server-data" type="application/json">
 
-  {"contextID":"CONTEXT_ID","page":"","props":{},"sessionID":"","settings":{"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":null,"title":"Fider"}
+  {"contextID":"CONTEXT_ID","page":"","props":{},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":null,"title":"Fider"}
 
   </script>
 

app/pkg/web/testdata/canonical.html

@@ -47,7 +47,7 @@ <h2 class="text-display2">Please enable JavaScript</h2>
 
   <script id="server-data" type="application/json">
 
-  {"contextID":"CONTEXT_ID","page":"","props":{},"sessionID":"","settings":{"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":null,"title":"Fider"}
+  {"contextID":"CONTEXT_ID","page":"","props":{},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":null,"title":"Fider"}
 
   </script>
 

app/pkg/web/testdata/chunk.html

@@ -45,7 +45,7 @@ <h2 class="text-display2">Please enable JavaScript</h2>
 
   <script id="server-data" type="application/json">
 
-  {"contextID":"CONTEXT_ID","page":"Test.page","props":{},"sessionID":"","settings":{"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":null,"title":"Fider"}
+  {"contextID":"CONTEXT_ID","page":"Test.page","props":{},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":null,"title":"Fider"}
 
   </script>