From d070a82b3d0149904a5d54ec3608c5789a6a265a Mon Sep 17 00:00:00 2001
From: Ahmad Thoriq Najahi <najahi@zephyrus.id>
Date: Fri, 24 May 2024 04:51:19 +0700
Subject: feat: Enhance host extraction from headers (#2292)

- Refactor SUBController subs and subJsons methods to extract host from X-Forwarded-Host header, falling back to X-Real-IP header and then to the request host if unavailable.
- Update html function to extract host from X-Forwarded-Host header, falling back to X-Real-IP header and then to the request host if unavailable.
- Update DomainValidatorMiddleware to first attempt to extract host from X-Forwarded-Host header, falling back to X-Real-IP header and then to the request host.

Fixes: #2284

Signed-off-by: Ahmad Thoriq Najahi <najahi@zephyrus.id>
---
 web/middleware/domainValidator.go | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'web/middleware')

diff --git a/web/middleware/domainValidator.go b/web/middleware/domainValidator.go
index 2beecfdb..26a23895 100644
--- a/web/middleware/domainValidator.go
+++ b/web/middleware/domainValidator.go
@@ -9,13 +9,17 @@ import (
 
 func DomainValidatorMiddleware(domain string) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		host, _, _ := net.SplitHostPort(c.Request.Host)
-
-		if host != domain {
-			c.AbortWithStatus(http.StatusForbidden)
-			return
+		host := c.GetHeader("X-Forwarded-Host")
+		if host == "" {
+			host = c.GetHeader("X-Real-IP")
 		}
-
+		if host == "" {
+			host, _, _ := net.SplitHostPort(c.Request.Host)
+			if host != domain {
+				c.AbortWithStatus(http.StatusForbidden)
+				return
+			}
 		c.Next()
+		}
 	}
 }
-- 
cgit v1.2.3