feat: implement zero-wildcard project-scoped NG_ALLOWED_HOSTS and strict location checks for Angular SSR

falahat · falahat · commit 5caf8fa7433a · 2026-06-24T10:34:42.000-04:00
diff --git a/src/deploy/apphosting/prepare.spec.ts b/src/deploy/apphosting/prepare.spec.ts
@@ -822,20 +822,20 @@ describe("apphosting", () => {
       readFileSyncStub = sinon.stub(fs, "readFileSync");
     });
 
-    it("should do nothing for non-Angular applications", () => {
+    it("should do nothing for non-Angular applications", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = { foo: {} };
 
       existsStub.returns(false);
 
-      injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
+      await injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv);
 
       expect(buildEnv["foo"]).to.be.empty;
       expect(runtimeEnv["foo"]).to.be.empty;
     });
 
-    it("should inject defaults for Angular applications when headers are missing", () => {
+    it("should inject defaults for Angular applications when headers are missing", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = { foo: {} };
@@ -849,19 +849,19 @@ describe("apphosting", () => {
         }),
       );
 
-      injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
+      await injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv);
 
       expect(runtimeEnv["foo"]["NG_TRUST_PROXY_HEADERS"]).to.deep.equal({
         value: "x-forwarded-host,x-forwarded-port,x-forwarded-proto,x-forwarded-for",
         availability: ["RUNTIME"],
       });
       expect(runtimeEnv["foo"]["NG_ALLOWED_HOSTS"]).to.deep.equal({
-        value: "*.hosted.app,*.run.app,*.firestack.app,localhost",
+        value: "foo-123456789.us-central1.run.app,foo--my-project.us-central1.hosted.app,foo--my-project.web.app,foo--my-project.firebaseapp.com",
         availability: ["RUNTIME"],
       });
     });
 
-    it("should accept valid NG_TRUST_PROXY_HEADERS overrides", () => {
+    it("should accept valid NG_TRUST_PROXY_HEADERS overrides", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = {
@@ -880,14 +880,14 @@ describe("apphosting", () => {
         }),
       );
 
-      injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
+      await injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv);
 
       expect(runtimeEnv["foo"]["NG_TRUST_PROXY_HEADERS"]?.value).to.equal(
         "X-Forwarded-Host,X-Forwarded-Proto",
       );
     });
 
-    it("should throw an error for invalid NG_TRUST_PROXY_HEADERS values", () => {
+    it("should throw an error for invalid NG_TRUST_PROXY_HEADERS values", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = {
@@ -906,12 +906,12 @@ describe("apphosting", () => {
         }),
       );
 
-      expect(() => {
-        injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
-      }).to.throw(FirebaseError, "invalid value for NG_TRUST_PROXY_HEADERS");
+      await expect(
+        injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv)
+      ).to.be.rejectedWith(FirebaseError, "invalid value for NG_TRUST_PROXY_HEADERS");
     });
 
-    it("should throw an error if NG_TRUST_PROXY_HEADERS explicitly omits RUNTIME availability", () => {
+    it("should throw an error if NG_TRUST_PROXY_HEADERS explicitly omits RUNTIME availability", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = {
@@ -930,12 +930,12 @@ describe("apphosting", () => {
         }),
       );
 
-      expect(() => {
-        injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
-      }).to.throw(FirebaseError, "must include RUNTIME in its availability");
+      await expect(
+        injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv)
+      ).to.be.rejectedWith(FirebaseError, "must include RUNTIME in its availability");
     });
 
-    it("should throw an error if NG_ALLOWED_HOSTS explicitly omits RUNTIME availability", () => {
+    it("should throw an error if NG_ALLOWED_HOSTS explicitly omits RUNTIME availability", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = {
@@ -954,15 +954,15 @@ describe("apphosting", () => {
         }),
       );
 
-      expect(() => {
-        injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
-      }).to.throw(
+      await expect(
+        injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv)
+      ).to.be.rejectedWith(
         FirebaseError,
         "NG_ALLOWED_HOSTS environment variable must be set with RUNTIME availability",
       );
     });
 
-    it("should throw an error if NG_ALLOWED_HOSTS omits availability entirely (replicating the Go preparer slices.Contains(nil) quirk)", () => {
+    it("should throw an error if NG_ALLOWED_HOSTS omits availability entirely (replicating the Go preparer slices.Contains(nil) quirk)", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = {
@@ -981,15 +981,15 @@ describe("apphosting", () => {
         }),
       );
 
-      expect(() => {
-        injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
-      }).to.throw(
+      await expect(
+        injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv)
+      ).to.be.rejectedWith(
         FirebaseError,
         "NG_ALLOWED_HOSTS environment variable must be set with RUNTIME availability",
       );
     });
 
-    it("should pass if NG_ALLOWED_HOSTS has explicit RUNTIME availability", () => {
+    it("should pass if NG_ALLOWED_HOSTS has explicit RUNTIME availability", async () => {
       const cfg: AppHostingSingle = { backendId: "foo", rootDir: "/", ignore: [] };
       const buildEnv: Record<string, EnvMap> = { foo: {} };
       const runtimeEnv: Record<string, EnvMap> = {
@@ -1008,7 +1008,7 @@ describe("apphosting", () => {
         }),
       );
 
-      injectAngularEnvVars(cfg, "/app-dir", buildEnv, runtimeEnv);
+      await injectAngularEnvVars(cfg, "/app-dir", "my-project", "us-central1", buildEnv, runtimeEnv);
 
       expect(runtimeEnv["foo"]["NG_ALLOWED_HOSTS"]?.value).to.equal("my.domain.com");
     });
diff --git a/src/deploy/apphosting/prepare.ts b/src/deploy/apphosting/prepare.ts
@@ -198,7 +198,11 @@ export default async function (context: Context, options: Options): Promise<void
     await injectAutoInitEnvVars(cfg, backends, buildEnv, runtimeEnv);
 
     const rootDir = path.resolve(options.projectRoot || process.cwd());
-    injectAngularEnvVars(cfg, rootDir, buildEnv, runtimeEnv);
+    const location = context.backendLocations[cfg.backendId];
+    if (!location) {
+      throw new FirebaseError(`Failed to find location for backend ${cfg.backendId}.`);
+    }
+    await injectAngularEnvVars(cfg, rootDir, projectId, location, buildEnv, runtimeEnv);
     // Generate a static 8-character hash of the Workspace Root directory path to guarantee
     // 100% sibling folder build isolation on the same machine, while preserving predictability.
     const pathHash = crypto.createHash("md5").update(rootDir).digest("hex").substring(0, 8);
@@ -465,12 +469,14 @@ function isAngularApplication(appDir: string): boolean {
 /**
  * Replicates the Go buildpack preparer's Angular environment variable injection and validation.
  */
-export function injectAngularEnvVars(
+export async function injectAngularEnvVars(
   cfg: AppHostingSingle,
   projectRoot: string,
+  projectId: string,
+  location: string,
   buildEnv: Record<string, EnvMap>,
   runtimeEnv: Record<string, EnvMap>,
-): void {
+): Promise<void> {
   const appDir = path.join(projectRoot, cfg.rootDir || "");
   if (!isAngularApplication(appDir)) {
     return;
@@ -532,12 +538,20 @@ export function injectAngularEnvVars(
       );
     }
   } else {
+    const projectNumber = await getProjectNumber({ project: projectId });
+    const sharedDomain = "hosted.app";
+    const allowedHostsValue = [
+      `${backendId}-${projectNumber}.${location}.run.app`,
+      `${backendId}--${projectId}.${location}.${sharedDomain}`,
+      `${backendId}--${projectId}.web.app`,
+      `${backendId}--${projectId}.firebaseapp.com`,
+    ].join(",");
     logLabeledBullet(
       "apphosting",
-      `Angular SSR application detected. Injecting default NG_ALLOWED_HOSTS=*.hosted.app,*.run.app,*.firestack.app,localhost`,
+      `Angular SSR application detected. Injecting default NG_ALLOWED_HOSTS=${allowedHostsValue}`,
     );
     runtimeEnv[backendId]["NG_ALLOWED_HOSTS"] = {
-      value: "*.hosted.app,*.run.app,*.firestack.app,localhost",
+      value: allowedHostsValue,
       availability: ["RUNTIME"],
     };
   }
