From 75aaae5d5c13cb908a50c923c67f502e04b8156d Mon Sep 17 00:00:00 2001
From: Davide Porrovecchio <pdavide@users.noreply.github.com>
Date: Tue, 26 Feb 2019 17:03:20 +0100
Subject: [PATCH] FEATURE: Allow wildcard in allowed_user_api_auth_redirects
 setting (#6779)

---
 app/controllers/user_api_keys_controller.rb    |  2 +-
 app/services/wildcard_url_checker.rb           | 10 ++++++++++
 config/locales/server.en.yml                   |  2 +-
 spec/requests/user_api_keys_controller_spec.rb | 10 ++++++++++
 4 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 app/services/wildcard_url_checker.rb

diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb
index a9db864e907..30ea1290165 100644
--- a/app/controllers/user_api_keys_controller.rb
+++ b/app/controllers/user_api_keys_controller.rb
@@ -53,7 +53,7 @@ class UserApiKeysController < ApplicationController
 
     if params.key?(:auth_redirect) && SiteSetting.allowed_user_api_auth_redirects
         .split('|')
-        .none? { |u| params[:auth_redirect] == u }
+        .none? { |u| WildcardUrlChecker.check_url(u, params[:auth_redirect]) }
 
       raise Discourse::InvalidAccess
     end
diff --git a/app/services/wildcard_url_checker.rb b/app/services/wildcard_url_checker.rb
new file mode 100644
index 00000000000..0503493b05f
--- /dev/null
+++ b/app/services/wildcard_url_checker.rb
@@ -0,0 +1,10 @@
+module WildcardUrlChecker
+
+  def self.check_url(url, url_to_check)
+    escaped_url = Regexp.escape(url).sub("\\*", '\S*')
+    url_regex = Regexp.new("^#{escaped_url}$", 'i')
+
+    url_to_check.match(url_regex)
+  end
+
+end
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index b5209178fd6..66e1b5f8bcc 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1932,7 +1932,7 @@ en:
     allow_user_api_key_scopes: "List of scopes allowed for user API keys"
     max_api_keys_per_user: "Maximum number of user API keys per user"
     min_trust_level_for_user_api_key: "Trust level required for generation of user API keys"
-    allowed_user_api_auth_redirects: "Allowed URL for authentication redirect for user API keys"
+    allowed_user_api_auth_redirects: "Allowed URL for authentication redirect for user API keys. Wildcard symbol * can be used to match any part of it (e.g. www.example.com/*)."
     allowed_user_api_push_urls: "Allowed URLs for server push to user API"
     expire_user_api_keys_days: "Number of days before an user API key automatically expires (0 for never)"
 
diff --git a/spec/requests/user_api_keys_controller_spec.rb b/spec/requests/user_api_keys_controller_spec.rb
index ee5ffb4d7ff..e2cce3d8a36 100644
--- a/spec/requests/user_api_keys_controller_spec.rb
+++ b/spec/requests/user_api_keys_controller_spec.rb
@@ -240,5 +240,15 @@ describe UserApiKeysController do
       expect(api_key.user_id).to eq(user.id)
 
     end
+
+    it "will allow redirect to wildcard urls" do
+      SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect] + '/*'
+      args[:auth_redirect] = args[:auth_redirect] + '/bluebirds/fly'
+
+      sign_in(Fabricate(:user))
+
+      post "/user-api-key.json", params: args
+      expect(response.status).to eq(302)
+    end
   end
 end