"trust proxy" does not make Request.hostname use the value of X-Forwarded-Host #68
Description
Regarding Request.hostname, the lambda-express code states:
When the
trust proxyapp setting is truthy, [thehostname] property will instead have the value of theX-Forwarded-Hostheader field.
Unfortunately, the hostname code doesn't seem to actually do that. Tests that are listed below fail due to this. Seems like either the docs or the code needs to change.
Unit Tests
describe('hostname property', () => {
const testCases = [
{
host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
expectedWithTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
},
{
host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
expectedWithTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
},
{
host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
xForwardedHost: 'api.example.com',
expectedWithTrustProxy: 'api.example.com',
expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
},
{
host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
xForwardedHost: 'api.example.com',
expectedWithTrustProxy: 'api.example.com',
expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
},
{
host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
xForwardedHost: 'api.example.com:433',
expectedWithTrustProxy: 'api.example.com',
expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
},
{
host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
xForwardedHost: 'api.example.com:443',
expectedWithTrustProxy: 'api.example.com',
expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
},
];
it('parses proper values - APIGW', () => {
_.each(testCases, (testCase) => {
let evt: RequestEvent = apiGatewayRequest(),
req;
evt.headers.Host = testCase.host;
if (testCase.xForwardedHost) {
evt.headers['X-Forwarded-Host'] = testCase.xForwardedHost;
evt.multiValueHeaders['X-Forwarded-Host'] = [ testCase.xForwardedHost ];
} else {
delete evt.headers['X-Forwarded-Host'];
delete evt.multiValueHeaders['X-Forwarded-Host'];
}
app.enable('trust proxy');
req = new Request(app, evt, handlerContext());
expect(req.hostname).to.eql(testCase.expectedWithTrustProxy);
app.disable('trust proxy');
req = new Request(app, evt, handlerContext());
expect(req.hostname).to.eql(testCase.expectedWithoutTrustProxy);
});
});
it('parses proper values - ALB', () => {
_.each(testCases, (testCase) => {
let req;
_.each([ albRequest(), albMultiValHeadersRequest() ], (evt) => {
if (evt.headers) {
evt.headers.host = testCase.host;
if (testCase.xForwardedHost) {
evt.headers['X-Forwarded-Host'] = testCase.xForwardedHost;
} else {
delete evt.headers['X-Forwarded-Host'];
}
}
if (evt.multiValueHeaders) {
evt.multiValueHeaders.host = [ testCase.host ];
if (testCase.xForwardedHost) {
evt.multiValueHeaders['X-Forwarded-Host'] = [ testCase.xForwardedHost ];
} else {
delete evt.multiValueHeaders['X-Forwarded-Host'];
}
}
app.enable('trust proxy');
req = new Request(app, evt, handlerContext());
expect(req.hostname).to.eql(testCase.expectedWithTrustProxy);
app.disable('trust proxy');
req = new Request(app, evt, handlerContext());
expect(req.hostname).to.eql(testCase.expectedWithoutTrustProxy);
});
});
});
});