Merge pull request #1012 from rubensworks/fix/no-defined-origin

Add server origin by default to the list of trusted origins

Author: kjetilk

lib/handlers/allow.js

@@ -50,7 +50,7 @@ function allow (mode) {
       },
       suffix: ldp.suffixAcl,
       strictOrigin: ldp.strictOrigin,
-      trustedOrigins: ldp.trustedOrigins
+      trustedOrigins: [ldp.resourceMapper.resolveUrl(req.hostname)].concat(ldp.trustedOrigins)
     })
 
     // Ensure the user has the required permission

test/integration/authentication-oidc-test.js

@@ -212,7 +212,7 @@ describe('Authentication API (OIDC)', () => {
           })
         })
 
-        // Our origin isn't trusted by default
+        // Our origin is trusted by default
         describe('with that cookie and our origin', () => {
           let response
           before(done => {
@@ -225,6 +225,24 @@ describe('Authentication API (OIDC)', () => {
               })
           })
 
+          it('should return a 200', () => {
+            expect(response).to.have.property('status', 200)
+          })
+        })
+
+        // Another origin isn't trusted by default
+        describe('with that cookie and our origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .set('Origin', 'https://some.other.domain.com')
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
           it('should return a 403', () => {
             expect(response).to.have.property('status', 403)
           })