Feature: Allowed domains for chatflows #1765
Conversation
0xi4o
commented
Feb 20, 2024
•
0xi4o
commented
- Adds an allowed domains dialog for chatflows where users can whitelist which domains can access the chatflow. By default all domains are allowed. If a list is present, then only those domains can use the chatflow prediction, either from embed or API.
|
I'm a little confused why you'd use this over CORS or CSP? They do the same thing but at a lower level to ensure no access can be done at all except from the whitelisted domains. |
|
the intention is to allow the chatbot to be embedded on specific domain: |
|
Yea I get that but that's the same thing CORS does. Except CORS will pass security tests since the preflight options will also fail when not on an allowed domain. It's the same functionality just at the level where it's expected. Otherwise they'll be tempted to set CORS to * and use this new config instead which isn't secure, since any domain will be able to access the REST API, regardless of this setting. If you remember I mentioned this on the other ticket. The very first request xdomain sends is OPTIONS preflight check. This is before any logic can be done about a chatbot ID, thus CORS is in the HTTP pipeline and configured at the env level. |
|
If your goal is to solve multi tenancy in cloud hosting (1 host per N clients) then better to solve it with actual accounts and tenancy, where you keep the tenancy as the initial request and sticky it somehow through all subsequent requests. Anyways just my $0.02 😄 |
yeah I think there are 2 level of users for Flowise, for devs its always welcomed to set the env variables CORS for that. For no-code users they might not be familiar with the CORS and setting env variables, so this is an alternative, although it doesnt solve at the very root level, but still offers some protective mechanism at the very least |
0xi4o
requested review from
chungyau97,
vinodkiran and
HenryHengZJ
and removed request for
vinodkiran
|
@HenryHengZJ I've updated the error message for a non-whitelisted domain. Please review this. |
packages/server/src/index.ts
Outdated
| if (chatflow.chatbotConfig) { | ||
| const parsedConfig = JSON.parse(chatflow.chatbotConfig) | ||
| // check whether the first one is not empty. if it is empty that means the user set a value and then removed it. | ||
| const isValidAllowedOrigins = parsedConfig.allowedOrigins[0] !== '' |
There was a problem hiding this comment.
what if parsedConfig doesn't have the property allowedOrigins, will it fails?
shouldn't we do something like parsedConfig.allowedOrigins?.length && parsedConfig.allowedOrigins[0] !== '' ?
packages/server/src/index.ts
Outdated
| const origin = new URL(originHeader).host | ||
| isDomainAllowed = | ||
| parsedConfig.allowedOrigins.filter((domain: string) => { | ||
| const allowedOrigin = new URL(domain).host |
There was a problem hiding this comment.
if domain is invalid, you will get error Invalid URL and the apps shut down due to unhandled rejection
