[WEB-3700] chore: improve authentication redirections (#6836)

* chore: update redirections to be from allowed hosts * chore: update redirection logic * chore: add web url in settings * chore: add next path validation * chore: update typings * chore: update typings * chore: update types --------- Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
2025-04-02 23:09:27 +05:30 · 2025-04-02 23:09:27 +05:30 · d9e3405f5a
commit d9e3405f5a
parent adee686ea3
45 changed files with 230 additions and 196 deletions
--- a/apiserver/plane/api/views/cycle.py
+++ b/apiserver/plane/api/views/cycle.py
@ -39,7 +39,7 @@ from plane.db.models import (
    UserFavorite,
 )
 from plane.utils.analytics_plot import burndown_plot
-
+from plane.utils.host import base_host
 from .base import BaseAPIView
 from plane.bgtasks.webhook_task import model_activity

@ -259,7 +259,7 @@ class CycleAPIEndpoint(BaseAPIView):
                    current_instance=None,
                    actor_id=request.user.id,
                    slug=slug,
-                    origin=request.META.get("HTTP_ORIGIN"),
+                    origin=base_host(request=request, is_app=True),
                )
                return Response(serializer.data, status=status.HTTP_201_CREATED)
            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@ -331,7 +331,7 @@ class CycleAPIEndpoint(BaseAPIView):
                current_instance=current_instance,
                actor_id=request.user.id,
                slug=slug,
-                origin=request.META.get("HTTP_ORIGIN"),
+                origin=base_host(request=request, is_app=True),
            )
            return Response(serializer.data, status=status.HTTP_200_OK)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@ -702,7 +702,7 @@ class CycleIssueAPIEndpoint(BaseAPIView):
            ),
            epoch=int(timezone.now().timestamp()),
            notification=True,
-            origin=request.META.get("HTTP_ORIGIN"),
+            origin=base_host(request=request, is_app=True),
        )
        # Return all Cycle Issues
        return Response(
@ -1176,7 +1176,7 @@ class TransferCycleIssueAPIEndpoint(BaseAPIView):
            ),
            epoch=int(timezone.now().timestamp()),
            notification=True,
-            origin=request.META.get("HTTP_ORIGIN"),
+            origin=base_host(request=request, is_app=True),
        )

        return Response({"message": "Success"}, status=status.HTTP_200_OK)
--- a/apiserver/plane/api/views/intake.py
+++ b/apiserver/plane/api/views/intake.py
@ -18,7 +18,7 @@ from plane.api.serializers import IntakeIssueSerializer, IssueSerializer
 from plane.app.permissions import ProjectLitePermission
 from plane.bgtasks.issue_activities_task import issue_activity
 from plane.db.models import Intake, IntakeIssue, Issue, Project, ProjectMember, State
-
+from plane.utils.host import base_host
 from .base import BaseAPIView


@ -297,7 +297,7 @@ class IntakeIssueAPIEndpoint(BaseAPIView):
                    current_instance=current_instance,
                    epoch=int(timezone.now().timestamp()),
                    notification=False,
-                    origin=request.META.get("HTTP_ORIGIN"),
+                    origin=base_host(request=request, is_app=True),
                    intake=str(intake_issue.id),
                )

--- a/apiserver/plane/api/views/issue.py
+++ b/apiserver/plane/api/views/issue.py
@ -56,6 +56,7 @@ from plane.db.models import (
 from plane.settings.storage import S3Storage
 from plane.bgtasks.storage_metadata_task import get_asset_object_metadata
 from .base import BaseAPIView
+from plane.utils.host import base_host


 class WorkspaceIssueAPIEndpoint(BaseAPIView):
@ -1048,7 +1049,7 @@ class IssueAttachmentEndpoint(BaseAPIView):
            current_instance=None,
            epoch=int(timezone.now().timestamp()),
            notification=True,
-            origin=request.META.get("HTTP_ORIGIN"),
+            origin=base_host(request=request, is_app=True),
        )

        # Get the storage metadata
@ -1108,7 +1109,7 @@ class IssueAttachmentEndpoint(BaseAPIView):
                current_instance=json.dumps(serializer.data, cls=DjangoJSONEncoder),
                epoch=int(timezone.now().timestamp()),
                notification=True,
-                origin=request.META.get("HTTP_ORIGIN"),
+                origin=base_host(request=request, is_app=True),
            )

            # Update the attachment
--- a/apiserver/plane/api/views/module.py
+++ b/apiserver/plane/api/views/module.py
@ -33,6 +33,7 @@ from plane.db.models import (

 from .base import BaseAPIView
 from plane.bgtasks.webhook_task import model_activity
+from plane.utils.host import base_host


 class ModuleAPIEndpoint(BaseAPIView):
@ -174,7 +175,7 @@ class ModuleAPIEndpoint(BaseAPIView):
                current_instance=None,
                actor_id=request.user.id,
                slug=slug,
-                origin=request.META.get("HTTP_ORIGIN"),
+                origin=base_host(request=request, is_app=True),
            )
            module = Module.objects.get(pk=serializer.data["id"])
            serializer = ModuleSerializer(module)
@ -226,7 +227,7 @@ class ModuleAPIEndpoint(BaseAPIView):
                current_instance=current_instance,
                actor_id=request.user.id,
                slug=slug,
-                origin=request.META.get("HTTP_ORIGIN"),
+                origin=base_host(request=request, is_app=True),
            )

            return Response(serializer.data, status=status.HTTP_200_OK)
@ -280,6 +281,7 @@ class ModuleAPIEndpoint(BaseAPIView):
            project_id=str(project_id),
            current_instance=json.dumps({"module_name": str(module.name)}),
            epoch=int(timezone.now().timestamp()),
+            origin=base_host(request=request, is_app=True),
        )
        module.delete()
        # Delete the module issues
@ -449,6 +451,7 @@ class ModuleIssueAPIEndpoint(BaseAPIView):
                }
            ),
            epoch=int(timezone.now().timestamp()),
+            origin=base_host(request=request, is_app=True),
        )

        return Response(
--- a/apiserver/plane/api/views/project.py
+++ b/apiserver/plane/api/views/project.py
@ -30,7 +30,7 @@ from plane.db.models import (
 )
 from plane.bgtasks.webhook_task import model_activity, webhook_activity
 from .base import BaseAPIView
-
+from plane.utils.host import base_host

 class ProjectAPIEndpoint(BaseAPIView):
    """Project Endpoints to create, update, list, retrieve and delete endpoint"""
@ -228,7 +228,7 @@ class ProjectAPIEndpoint(BaseAPIView):
                    current_instance=None,
                    actor_id=request.user.id,
                    slug=slug,
-                    origin=request.META.get("HTTP_ORIGIN"),
+                    origin=base_host(request=request, is_app=True),
                )

                serializer = ProjectSerializer(project)
@ -297,7 +297,7 @@ class ProjectAPIEndpoint(BaseAPIView):
                    current_instance=current_instance,
                    actor_id=request.user.id,
                    slug=slug,
-                    origin=request.META.get("HTTP_ORIGIN"),
+                    origin=base_host(request=request, is_app=True),
                )

                serializer = ProjectSerializer(project)
@ -334,7 +334,7 @@ class ProjectAPIEndpoint(BaseAPIView):
            new_value=None,
            actor_id=request.user.id,
            slug=slug,
-            current_site=request.META.get("HTTP_ORIGIN"),
+            current_site=base_host(request=request, is_app=True),
            event_id=project.id,
            old_identifier=None,
            new_identifier=None,