From 08a3ae0e7c93b60dc1ad1d6eb43a60e0d467126b Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Wed, 9 Feb 2022 18:33:29 +0100
Subject: [PATCH] use env platform URL for datasource auth to prevent tenant
 overrides

---
 .../src/middleware/passport/datasource/google.js     | 12 +++---------
 packages/worker/src/api/routes/global/auth.js        |  5 +++++
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/packages/backend-core/src/middleware/passport/datasource/google.js b/packages/backend-core/src/middleware/passport/datasource/google.js
index bfc2e4a61e..dfa3c647a0 100644
--- a/packages/backend-core/src/middleware/passport/datasource/google.js
+++ b/packages/backend-core/src/middleware/passport/datasource/google.js
@@ -4,6 +4,7 @@ const google = require("../google")
 const { Configs, Cookies } = require("../../../constants")
 const { clearCookie, getCookie } = require("../../../utils")
 const { getDB } = require("../../../db")
+const environment = require("../../../environment")
 
 async function preAuth(passport, ctx, next) {
   const db = getGlobalDB()
@@ -12,10 +13,7 @@ async function preAuth(passport, ctx, next) {
     type: Configs.GOOGLE,
     workspace: ctx.query.workspace,
   })
-  const publicConfig = await getScopedConfig(db, {
-    type: Configs.SETTINGS,
-  })
-  let callbackUrl = `${publicConfig.platformUrl}/api/global/auth/datasource/google/callback`
+  let callbackUrl = `${environment.PLATFORM_URL}/api/global/auth/datasource/google/callback`
   const strategy = await google.strategyFactory(config, callbackUrl)
 
   if (!ctx.query.appId || !ctx.query.datasourceId) {
@@ -37,11 +35,7 @@ async function postAuth(passport, ctx, next) {
     workspace: ctx.query.workspace,
   })
 
-  const publicConfig = await getScopedConfig(db, {
-    type: Configs.SETTINGS,
-  })
-
-  let callbackUrl = `${publicConfig.platformUrl}/api/global/auth/datasource/google/callback`
+  let callbackUrl = `${environment.PLATFORM_URL}/api/global/auth/datasource/google/callback`
   const strategy = await google.strategyFactory(
     config,
     callbackUrl,
diff --git a/packages/worker/src/api/routes/global/auth.js b/packages/worker/src/api/routes/global/auth.js
index 373bf5736a..cc00b4f82f 100644
--- a/packages/worker/src/api/routes/global/auth.js
+++ b/packages/worker/src/api/routes/global/auth.js
@@ -80,6 +80,11 @@ router
     updateTenant,
     authController.googleAuth
   )
+  .get(
+    "/api/global/auth/:tenantId/datasource/:provider/callback",
+    updateTenant,
+    authController.datasourceAuth
+  )
   .get(
     "/api/global/auth/:tenantId/oidc/configs/:configId",
     updateTenant,