mirror of
https://github.com/lingble/chatwoot.git
synced 2025-10-30 02:32:29 +00:00
de4430ea5d
We wanted to provide an option for users to specify the domains on which
they can show the website. The rest of the sites shouldn't see the
widget at all.
It's not possible generally through Origin because you can't get Origin
when loading via an iframe. What I've done is add frame ancestors for
the domains specified in allowed domains. I hope this solves most of the
problems.
This is added in a way that it won't affect existing widgets. Only If
they have configured allowed domains, it will start blocking. Otherwise,
it would follow the previous behavior without any changes.
This change supports called wild card domains as well. You can add a
comma‑separated list of domains, either wild card or regular domains.
---
To test, deploy to staging. Call the following API to update the
allowed_domains list.
```
URL: PATCH /api/v1/accounts/<account-id>/inboxes/<inbox-id>
Payload:
{
"channel": { "allowed_domains": "*.chatwoot.dev,chatwoot.com" }
}
```
Fixes https://github.com/chatwoot/chatwoot/issues/1985
83 lines
2.4 KiB
Ruby
83 lines
2.4 KiB
Ruby
# TODO : Delete this and associated spec once 'api/widget/config' end point is merged
|
|
class WidgetsController < ActionController::Base
|
|
include WidgetHelper
|
|
|
|
before_action :set_global_config
|
|
before_action :set_web_widget
|
|
before_action :ensure_account_is_active
|
|
before_action :ensure_location_is_supported
|
|
before_action :set_token
|
|
before_action :set_contact
|
|
before_action :build_contact
|
|
after_action :allow_iframe_requests
|
|
|
|
private
|
|
|
|
def set_global_config
|
|
@global_config = GlobalConfig.get('LOGO_THUMBNAIL', 'BRAND_NAME', 'WIDGET_BRAND_URL', 'DIRECT_UPLOADS_ENABLED', 'INSTALLATION_NAME')
|
|
end
|
|
|
|
def set_web_widget
|
|
@web_widget = ::Channel::WebWidget.find_by!(website_token: permitted_params[:website_token])
|
|
rescue ActiveRecord::RecordNotFound
|
|
Rails.logger.error('web widget does not exist')
|
|
render json: { error: 'web widget does not exist' }, status: :not_found
|
|
end
|
|
|
|
def set_token
|
|
@token = permitted_params[:cw_conversation]
|
|
@auth_token_params = if @token.present?
|
|
::Widget::TokenService.new(token: @token).decode_token
|
|
else
|
|
{}
|
|
end
|
|
end
|
|
|
|
def set_contact
|
|
return if @auth_token_params[:source_id].nil?
|
|
|
|
@contact_inbox = ::ContactInbox.find_by(
|
|
inbox_id: @web_widget.inbox.id,
|
|
source_id: @auth_token_params[:source_id]
|
|
)
|
|
|
|
@contact = @contact_inbox&.contact
|
|
end
|
|
|
|
def build_contact
|
|
return if @contact.present?
|
|
|
|
@contact_inbox, @token = build_contact_inbox_with_token(@web_widget, additional_attributes)
|
|
@contact = @contact_inbox.contact
|
|
end
|
|
|
|
def ensure_account_is_active
|
|
render json: { error: 'Account is suspended' }, status: :unauthorized unless @web_widget.inbox.account.active?
|
|
end
|
|
|
|
def ensure_location_is_supported; end
|
|
|
|
def additional_attributes
|
|
if @web_widget.inbox.account.feature_enabled?('ip_lookup')
|
|
{ created_at_ip: request.remote_ip }
|
|
else
|
|
{}
|
|
end
|
|
end
|
|
|
|
def permitted_params
|
|
params.permit(:website_token, :cw_conversation)
|
|
end
|
|
|
|
def allow_iframe_requests
|
|
if @web_widget.allowed_domains.blank?
|
|
response.headers.delete('X-Frame-Options')
|
|
else
|
|
domains = @web_widget.allowed_domains.split(',').map(&:strip).join(' ')
|
|
response.headers['Content-Security-Policy'] = "frame-ancestors #{domains}"
|
|
end
|
|
end
|
|
end
|
|
|
|
WidgetsController.prepend_mod_with('WidgetsController')
|