rsnext/test/e2e/app-dir/actions-allowed-origins/app-action-disallowed-origins.test.ts

import { createNextDescribe } from 'e2e-utils'
import { check } from 'next-test-utils'
import { join } from 'path'

createNextDescribe(
  'app-dir action disallowed origins',
  {
    files: join(__dirname, 'unsafe-origins'),
    skipDeployment: true,
    dependencies: {
      react: 'latest',
      'react-dom': 'latest',
      'server-only': 'latest',
    },
  },
  ({ next }) => {
    // Origin should be localhost
    it('should error if x-forwarded-host does not match the origin', async function () {
      const browser = await next.browser('/')

      await browser.elementByCss('button').click()

      await check(async () => {
        const t = await browser.elementByCss('#res').text()
        return t.includes('Invalid Server Actions request.') ||
          // In prod the message is hidden
          t.includes('An error occurred in the Server Components render.')
          ? 'yes'
          : 'no'
      }, 'yes')
    })
  }
)
Add `serverActions.allowedForwardedHosts` option (#57529) This new option specifies a list of host names that are considered safe, to accept as Server Action requests if they're different from the initial request origin. It can be very helpful when the hosted app has many layers of reverse proxies ahead. Closes #57397. 2023-11-01 13:20:00 +01:00			`import { createNextDescribe } from 'e2e-utils'`
			`import { check } from 'next-test-utils'`
Change allowed forwarded hosts to be allowed origins for Server Actions (#58023) The allowlist should be origin domains that are allowed to send the requests, not the list of forwarded hosts (i.e. reverse proxies). 2023-11-08 11:20:32 +01:00			`import { join } from 'path'`
Add `serverActions.allowedForwardedHosts` option (#57529) This new option specifies a list of host names that are considered safe, to accept as Server Action requests if they're different from the initial request origin. It can be very helpful when the hosted app has many layers of reverse proxies ahead. Closes #57397. 2023-11-01 13:20:00 +01:00
			`createNextDescribe(`
Change allowed forwarded hosts to be allowed origins for Server Actions (#58023) The allowlist should be origin domains that are allowed to send the requests, not the list of forwarded hosts (i.e. reverse proxies). 2023-11-08 11:20:32 +01:00			`'app-dir action disallowed origins',`
Add `serverActions.allowedForwardedHosts` option (#57529) This new option specifies a list of host names that are considered safe, to accept as Server Action requests if they're different from the initial request origin. It can be very helpful when the hosted app has many layers of reverse proxies ahead. Closes #57397. 2023-11-01 13:20:00 +01:00			`{`
Change allowed forwarded hosts to be allowed origins for Server Actions (#58023) The allowlist should be origin domains that are allowed to send the requests, not the list of forwarded hosts (i.e. reverse proxies). 2023-11-08 11:20:32 +01:00			`files: join(__dirname, 'unsafe-origins'),`
Add `serverActions.allowedForwardedHosts` option (#57529) This new option specifies a list of host names that are considered safe, to accept as Server Action requests if they're different from the initial request origin. It can be very helpful when the hosted app has many layers of reverse proxies ahead. Closes #57397. 2023-11-01 13:20:00 +01:00			`skipDeployment: true,`
			`dependencies: {`
			`react: 'latest',`
			`'react-dom': 'latest',`
			`'server-only': 'latest',`
			`},`
			`},`
			`({ next }) => {`
Change allowed forwarded hosts to be allowed origins for Server Actions (#58023) The allowlist should be origin domains that are allowed to send the requests, not the list of forwarded hosts (i.e. reverse proxies). 2023-11-08 11:20:32 +01:00			`// Origin should be localhost`
			`it('should error if x-forwarded-host does not match the origin', async function () {`
			`const browser = await next.browser('/')`
Add `serverActions.allowedForwardedHosts` option (#57529) This new option specifies a list of host names that are considered safe, to accept as Server Action requests if they're different from the initial request origin. It can be very helpful when the hosted app has many layers of reverse proxies ahead. Closes #57397. 2023-11-01 13:20:00 +01:00
			`await browser.elementByCss('button').click()`

			`await check(async () => {`
			`const t = await browser.elementByCss('#res').text()`
			`return t.includes('Invalid Server Actions request.') \|\|`
			`// In prod the message is hidden`
			`t.includes('An error occurred in the Server Components render.')`
			`? 'yes'`
			`: 'no'`
			`}, 'yes')`
			`})`
			`}`
			`)`