Update CF Func to: handle ports in origin domain, add an Azure SSO do…

…main, and ignore self-referers Signed-off-by: Jacob Torrey <jacob@thinkst.com>
thinkst · Feb 20, 2024 · e4f8668 · e4f8668
1 parent a86acd5
commit e4f8668
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/aws-css-token-infra/CSSClonedSiteCFFunc/index.js b/aws-css-token-infra/CSSClonedSiteCFFunc/index.js
@@ -37,21 +37,33 @@ function handler(event) {
         } else {
             referer_origin = referer;
         }
+        if (referer_origin.indexOf(':') >= 0) {
+            // There is a port in the Referer (e.g., blah.com:443)
+            // Remove the port to get the raw origin domain
+            var domain_port = referer_origin.split(':');
+            referer_origin = domain_port[0];
+        }
     }
 
     if (expected_referrer == '')
         console.log("Empty expected_referrer!");
     if (referer == '')
         console.log("Empty/missing Referer header for: " + expected_referrer);
 
-    if (expected_referrer == '' || referer == '' || referer_origin.endsWith(expected_referrer)) { // Happy case where the referer matches
+    if (expected_referrer == '' || referer == '' || referer_origin.endsWith(expected_referrer) || referer_origin.endsWith(event.context.distributionDomainName)) { 
+        // Happy case where the referer matches   
         return matching_ref_response;
     }
     if (expected_referrer.endsWith('microsoftonline.com') && referer_origin.endsWith('login.microsoft.com')) {
         // Special case of an MS login token came from login.microsoft.com instead of microsoftonline.com
         // We still want to treat this as a good login since the referer is a valid MS domain
         return matching_ref_response;
     }
+    if (expected_referrer.endsWith('microsoftonline.com') && referer_origin.endsWith('autologon.microsoftazuread-sso.com')) {
+        // Special case of an MS login token came from the Azure seamless SSO login instead of microsoftonline.com
+        // We still want to treat this as a good login since the referer is a valid MS domain
+        return matching_ref_response;
+    }
     // Default case of redirecting to the tokens server
     var response = {
         statusCode: 302,