Angular2-jwt: 1.0.0-beta.5: Allow `whitelistedDomains` to be disabled or specified via wildcards

Created on 28 Jul 2017 · 15Comments · Source: auth0/angular2-jwt

Our webservice URL is not hard-coded but rather retrieved at runtime, therefore it's not possible to hard-code our whitelisted domains when importing JwtModule.forRoot().

It would be helpful to be able to disable whitelisting and/or allow for wildcards.

Source

mischkl

Most helpful comment

I finally found a solution.

export function getToken () { return localStorage.getItem(tokenName); }
export const whitelistedDomains = [new RegExp('[\s\S]*')] as RegExp[];
export function jwtOptionsFactory() { return { tokenGetter: getToken, whitelistedDomains: whitelistedDomains }; }
In the imports:
JwtModule.forRoot({ jwtOptionsProvider: { provide: JWT_OPTIONS, useFactory: jwtOptionsFactory } })

nischi on 19 Feb 2018

👍6

All 15 comments

Are you using angular-cli/aot?

JwtModule.forRoot({
  config: {
    whitelistedDomains: [new RegExp('regexp'), 'string'],
  }
})

after ng build --prod I get only whitelistedDomains:['string']

ln-e on 19 Oct 2017

👍1

Have you managed to solve this issue?

remeezp on 27 Oct 2017

yes, you can use regular expressions. if you want to "disable" the feature you can use /.*/ which matches any string.

mischkl on 27 Oct 2017

@ln-e that is mighty odd, maybe try using a regular expression literal (i.e. of the format /regexp/) or define the regexp as an exported constant first (i.e. export const REGEXP = new RegExp('regexp');) and then use it. sometimes AOT has trouble with things that are not statically defined within files.

mischkl on 27 Oct 2017

@mischkl, thanks for this, updating the whitelistedDomains: [/.*/] works when running ng serve, but when running ng build --prod I get an error

ERROR in Error: Error encountered resolving symbol values statically.

remeezp on 27 Oct 2017

@mischkl, literal provides error as @remeezp said. Unfortunately, export const anyname = new RegExp('') and usage it inside config also removed while ng build --prod.

Possible solution

config: {
    whitelistedDomains: [{RegExp: 'regexp'}, 'string'],
  }

and create new RegExp from this object inside isWhitelistedDomain function. But this looks ugly.

I think this should be reopened.

ln-e on 27 Oct 2017

how about opening a new issue dealing with this exact problem? although tbh I'm not really sure how the library itself could be much help here, since the problem is how things are compiled...

@remeezp @ln-e Also have you tried exporting a literal expression? i.e. export const REGEXP = /regexp/; and then using that?

mischkl on 27 Oct 2017

Works also not with "export const"

I tried:

export const whitelistedRegExp = new RegExp('[\s\S]*');

and

export const whitelistedRegExp = /[\s\S]*/;

nischi on 19 Feb 2018

I finally found a solution.

nischi on 19 Feb 2018

👍6

@nischi Thnx for this solution, it does work with AOT. I personally think that having to use a regex is a less optimal solution, it should be an asterisk (*).

maikdiepenbroek on 23 Feb 2018

@maikdiepenbroek Yes would be much easier, but to be honest we should set the correct domain to be more secure. But we load the URL from a Settings-File and that's not available on this point. Any idea on that?

nischi on 24 Feb 2018

@nischi I agree, but just for developing it would make life a lot easier.
We could use the the environments file to determine which domains we want to support for dev/prod. Or maybe with the help of an Injection token ?

maikdiepenbroek on 24 Feb 2018

@maikdiepenbroek i would prefer to have the url set from the build server, and that i do over a settings file. has pro and contras

nischi on 24 Feb 2018

You could always have an NODE_ENV variable set by the build server. And use that var as the whitelisted domain value.

maikdiepenbroek on 24 Feb 2018

Of course, thats a solution. Not sure whats best practice. But give a try.

nischi on 24 Feb 2018

Was this page helpful?

0 / 5 - 0 ratings