From 00696cf5a2a372d466b6d9c6d3e66f0760f562fa Mon Sep 17 00:00:00 2001
From: igor <igor.markin@vereign.com>
Date: Mon, 16 Nov 2020 16:32:47 +0300
Subject: [PATCH] Implement check for permitted domains

---
 Gopkg.toml                              |  2 +-
 javascript/src/iframe/viamapi-iframe.js | 26 +++++++++++++++++++++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/Gopkg.toml b/Gopkg.toml
index 337f386..304c6fe 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -25,7 +25,7 @@
 #   unused-packages = true
 
 [[constraint]]
-  branch = "master"
+  branch = "iframe-security"
   name = "code.vereign.com/code/restful-api"
 
 [prune]
diff --git a/javascript/src/iframe/viamapi-iframe.js b/javascript/src/iframe/viamapi-iframe.js
index d7c90e2..1830dfa 100644
--- a/javascript/src/iframe/viamapi-iframe.js
+++ b/javascript/src/iframe/viamapi-iframe.js
@@ -546,7 +546,7 @@ function getCertificateForPassport(passportUUID, internal) {
 const connection = Penpal.connectToParent({
   // Methods child is exposing to parent
   methods: {
-    initialize: (apiUrl, wopiUrl, collaboraUrl) => {
+    initialize: async (apiUrl, wopiUrl, collaboraUrl) => {
       if (!apiUrl) {
         apiUrl = `${window.location.origin}/api/`;
         console.warn(`API host URL not specified. Fall back to ${apiUrl}`); // eslint-disable-line no-console
@@ -572,6 +572,28 @@ const connection = Penpal.connectToParent({
         collaboraUrl.charAt(collaboraUrl.length - 1) === "/"
           ? collaboraUrl
           : collaboraUrl + "/";
+
+      const { code, data: { domains: permittedDomains }} = await penpalMethods.identityGetPermittedDomains();
+
+      if (code !== "200") {
+        throw new Error("Unable to retrieve a list of permitted domains.")
+      }
+
+      if (permittedDomains && permittedDomains.length) {
+        const iframeOrigin = document.referrer;
+        let iframeOriginIsPermitted = false;
+
+        for (const domain of permittedDomains) {
+          if (iframeOrigin.includes(domain)) {
+            iframeOriginIsPermitted = true;
+            break;
+          }
+        }
+
+        if (!iframeOriginIsPermitted) {
+          throw new Error(`Iframe origin "${iframeOrigin}" is not permitted.`)
+        }
+      }
     },
     ...penpalMethods,
     createIdentity(pinCode) {
@@ -2589,7 +2611,7 @@ connection.promise.then(parent => {
           false
         );
 
-        await setCurrentlyLoadedIdentity(identity);
+        !window.currentlyLoadedIdentity && await setCurrentlyLoadedIdentity(identity);
 
         if (!identityAuthenticatedEvent && identity) {
           const event = createEvent("IdentityAuthenticated", "Authenticated", [
-- 
GitLab