eriknelson/fix.diff

## fix.diff
diff --git a/deploy/main.js b/deploy/main.js
index 1473652..5867dcb 100644
--- a/deploy/main.js
+++ b/deploy/main.js
@@ -6,6 +6,10 @@ const HttpsProxyAgent = require('https-proxy-agent');
 const { AuthorizationCode } = require('simple-oauth2');
 const { createProxyMiddleware } = require('http-proxy-middleware');
 const axios = require('axios');
+const { URL } = require('url');
+const ipRangeCheck = require('ip-range-check');
+const isIp = require('is-ip');
+const isCidr = require('is-cidr');

 let cachedOAuthMeta = null;

@@ -123,10 +127,9 @@ app.get('/login/callback', async (req, res, next) => {
   };
   try {
     const clusterAuth = await getClusterAuth();
-
     const proxyString = process.env['HTTPS_PROXY'] || process.env['HTTP_PROXY'];
     let httpOptions = {};
-    if (proxyString) {
+    if (proxyString && !tokenEndpointMatchesNoProxy(cachedOAuthMeta?.token_endpoint)) {
       httpOptions = {
         agent: new HttpsProxyAgent(proxyString),
       };
@@ -186,3 +189,45 @@ const getClusterAuth = async () => {
     },
   });
 };
+
+const noProxyPatterns = (process.env.no_proxy || process.env.NO_PROXY || '')
+  .split(',')
+  .map((pattern) => pattern.trim())
+  .filter((pattern) => !!pattern);
+
+function tokenEndpointMatchesNoProxy(url) {
+  const { hostname } = parseUrl(url);
+  if (!hostname) {
+    return false;
+  }
+  const doesNoProxyMatch = noProxyPatterns.some((pattern) => {
+    // Check if the no proxy pattern is a CIDR. If it is, and the host of the
+    // token endpoint is an ip address, then we need to check to see if the
+    // ip address lies within the pattern's CIDR rage
+    const patternIsCidr = isCidr(pattern);
+    const hostIsIp = isIp(host);
+    const mustCheckRange = patternIsCidr && hostIsIp;
+
+    if mustCheckRange {
+      return ipRangeCheck(host, pattern)
+    }
+
+    // We aren't dealing with an IP range, so we can just check to see if the
+    // hostname of the token endpoint is concretely specified in the NO_PROXY
+    // pattern list. This should cover all three non-CIDR potential values:
+    // * Domain names: "oauth-server.apps.mycorp.com"
+    // * Domains: ".apps.mycorp.com"
+    // * Concrete IP addresses: 192.168.1.2
+    return hostname.endsWith(pattern)
+  });
+
+  return doesNoProxyMatch;
+}
+
+function parseUrl(value) {
+  try {
+    return new URL(value);
+  } catch (err) {
+    return new URL('');
+  }
+}
diff --git a/package.json b/package.json
index 3d28e2f..3b62086 100644
--- a/package.json
+++ b/package.json
@@ -97,6 +97,9 @@
     "formik": "^2.1.4",
     "history": "^4.9.0",
     "http-proxy-middleware": "^2.0.0",
+    "ip-range-check": "^0.2.0",
+    "is-cidr": "^4.0.2",
+    "is-ip": "^3.1.0",
     "jszip": "^3.6.0",
     "lodash": "^4.17.21",
     "process": "^0.11.10",
@@ -117,6 +120,7 @@
     "simple-oauth2": "^4.1.0",
     "stream": "^0.0.2",
     "tree-crawl": "^1.0.5",
+    "url": "^0.11.0",
     "uuid": "^3.3.2"
   }
 }
	diff --git a/deploy/main.js b/deploy/main.js
	index 1473652..5867dcb 100644
	--- a/deploy/main.js
	+++ b/deploy/main.js
	@@ -6,6 +6,10 @@ const HttpsProxyAgent = require('https-proxy-agent');
	const { AuthorizationCode } = require('simple-oauth2');
	const { createProxyMiddleware } = require('http-proxy-middleware');
	const axios = require('axios');
	+const { URL } = require('url');
	+const ipRangeCheck = require('ip-range-check');
	+const isIp = require('is-ip');
	+const isCidr = require('is-cidr');

	let cachedOAuthMeta = null;

	@@ -123,10 +127,9 @@ app.get('/login/callback', async (req, res, next) => {
	};
	try {
	const clusterAuth = await getClusterAuth();
	-
	const proxyString = process.env['HTTPS_PROXY'] \|\| process.env['HTTP_PROXY'];
	let httpOptions = {};
	- if (proxyString) {
	+ if (proxyString && !tokenEndpointMatchesNoProxy(cachedOAuthMeta?.token_endpoint)) {
	httpOptions = {
	agent: new HttpsProxyAgent(proxyString),
	};
	@@ -186,3 +189,45 @@ const getClusterAuth = async () => {
	},
	});
	};
	+
	+const noProxyPatterns = (process.env.no_proxy \|\| process.env.NO_PROXY \|\| '')
	+ .split(',')
	+ .map((pattern) => pattern.trim())
	+ .filter((pattern) => !!pattern);
	+
	+function tokenEndpointMatchesNoProxy(url) {
	+ const { hostname } = parseUrl(url);
	+ if (!hostname) {
	+ return false;
	+ }
	+ const doesNoProxyMatch = noProxyPatterns.some((pattern) => {
	+ // Check if the no proxy pattern is a CIDR. If it is, and the host of the
	+ // token endpoint is an ip address, then we need to check to see if the
	+ // ip address lies within the pattern's CIDR rage
	+ const patternIsCidr = isCidr(pattern);
	+ const hostIsIp = isIp(host);
	+ const mustCheckRange = patternIsCidr && hostIsIp;
	+
	+ if mustCheckRange {
	+ return ipRangeCheck(host, pattern)
	+ }
	+
	+ // We aren't dealing with an IP range, so we can just check to see if the
	+ // hostname of the token endpoint is concretely specified in the NO_PROXY
	+ // pattern list. This should cover all three non-CIDR potential values:
	+ // * Domain names: "oauth-server.apps.mycorp.com"
	+ // * Domains: ".apps.mycorp.com"
	+ // * Concrete IP addresses: 192.168.1.2
	+ return hostname.endsWith(pattern)
	+ });
	+
	+ return doesNoProxyMatch;
	+}
	+
	+function parseUrl(value) {
	+ try {
	+ return new URL(value);
	+ } catch (err) {
	+ return new URL('');
	+ }
	+}
	diff --git a/package.json b/package.json
	index 3d28e2f..3b62086 100644
	--- a/package.json
	+++ b/package.json
	@@ -97,6 +97,9 @@
	"formik": "^2.1.4",
	"history": "^4.9.0",
	"http-proxy-middleware": "^2.0.0",
	+ "ip-range-check": "^0.2.0",
	+ "is-cidr": "^4.0.2",
	+ "is-ip": "^3.1.0",
	"jszip": "^3.6.0",
	"lodash": "^4.17.21",
	"process": "^0.11.10",
	@@ -117,6 +120,7 @@
	"simple-oauth2": "^4.1.0",
	"stream": "^0.0.2",
	"tree-crawl": "^1.0.5",
	+ "url": "^0.11.0",
	"uuid": "^3.3.2"
	}
	}