feat: add domain redirect middleware (#3883)

* feat: add domain redirect middleware

* test: reduce tests

* test: reduce tests

* test: reduce tests

* fix: correct redirect with x-forwarded-host header

* fix tests

* review changes

* more changes

* fmt

* update app.json

* fmt

* revert: add MITXPRO_BASE_URL configuration to app.json

* Disable canonical hostname redirect by default

Author: asadali145

app.json

@@ -47,6 +47,10 @@
       "description": "How long the blog should be cached",
       "required": false
     },
+    "CANONICAL_HOSTNAME_REDIRECT_ENABLED": {
+      "description": "Whether to enable redirecting to the canonical hostname defined in SITE_BASE_URL when a request comes in with a different hostname",
+      "required": false
+    },
     "CELERY_BROKER_URL": {
       "description": "Where celery should get tasks, default is Redis URL",
       "required": false

conftest.py

@@ -99,3 +99,9 @@ def django_db_setup(django_db_setup, django_db_blocker):  # noqa: ARG001
             if not index_page_class.objects.filter(**index_page_content).exists():
                 index_page = index_page_class(**index_page_content)
                 home_page.add_child(instance=index_page)
+
+
+@pytest.fixture(autouse=True)
+def canonical_hostname_redirect_disabled_by_default(settings):
+    """Disable canonical hostname redirects in tests unless explicitly enabled."""
+    settings.CANONICAL_HOSTNAME_REDIRECT_ENABLED = False

mitxpro/middleware.py

@@ -0,0 +1,34 @@
+"""Middleware for MIT xPRO"""
+
+from urllib.parse import urlparse
+
+from django.conf import settings
+from django.http import HttpResponseRedirect
+
+
+class HostnameRedirectMiddleware:
+    """Middleware that redirects requests arriving at an incorrect hostname to the
+    canonical hostname configured in SITE_BASE_URL."""
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        site_base_url = getattr(settings, "SITE_BASE_URL", None)
+        if not site_base_url:
+            return self.get_response(request)
+
+        parsed = urlparse(site_base_url)
+        canonical_host = parsed.netloc
+        canonical_scheme = parsed.scheme
+
+        if (
+            not settings.CANONICAL_HOSTNAME_REDIRECT_ENABLED
+            or request.get_host() == canonical_host
+        ):
+            return self.get_response(request)
+
+        redirect_url = "{}://{}{}".format(
+            canonical_scheme, canonical_host, request.get_full_path()
+        )
+        return HttpResponseRedirect(redirect_url)

mitxpro/middleware_test.py

@@ -0,0 +1,102 @@
+"""Tests for mitxpro middleware"""
+
+import pytest
+from rest_framework import status
+
+from mitxpro.middleware import HostnameRedirectMiddleware
+
+
+CANONICAL_URL = "https://xpro.mit.edu"
+CANONICAL_HOST = "xpro.mit.edu"
+WRONG_HOST = "xpro-web.odl.mit.edu"
+
+
+@pytest.fixture()
+def middleware(mocker):
+    return HostnameRedirectMiddleware(get_response=mocker.Mock(return_value=None))
+
+
+@pytest.mark.parametrize(
+    (
+        "site_base_url",
+        "server_name",
+        "redirect_enabled",
+        "expect_redirect",
+        "expected_location",
+    ),
+    [
+        # Matching host -> passes through
+        (CANONICAL_URL, CANONICAL_HOST, True, False, None),
+        # Wrong host + redirect enabled -> redirect
+        (CANONICAL_URL, WRONG_HOST, True, True, f"{CANONICAL_URL}/some/path/"),
+        # Wrong host + redirect disabled -> passes through
+        (CANONICAL_URL, WRONG_HOST, False, False, None),
+        # No SITE_BASE_URL configured -> passes through
+        (None, WRONG_HOST, True, False, None),
+    ],
+)
+def test_hostname_redirect_middleware(
+    rf,
+    settings,
+    middleware,
+    site_base_url,
+    server_name,
+    redirect_enabled,
+    expect_redirect,
+    expected_location,
+):
+    """Tests HostnameRedirectMiddleware redirects or passes through based on host and setting."""
+    settings.SITE_BASE_URL = site_base_url
+    settings.CANONICAL_HOSTNAME_REDIRECT_ENABLED = redirect_enabled
+    request = rf.get("/some/path/", SERVER_NAME=server_name)
+    response = middleware(request)
+
+    if expect_redirect:
+        assert response.status_code == status.HTTP_302_FOUND
+        assert response["Location"] == expected_location
+    else:
+        middleware.get_response.assert_called_once_with(request)
+
+
+def test_redirect_preserves_query_string(rf, settings, middleware):
+    """The redirect preserves the full path including query string."""
+    settings.SITE_BASE_URL = CANONICAL_URL
+    settings.CANONICAL_HOSTNAME_REDIRECT_ENABLED = True
+    request = rf.get(
+        "/some/path/", {"foo": "bar", "baz": "qux"}, SERVER_NAME=WRONG_HOST
+    )
+    response = middleware(request)
+    assert response.status_code == status.HTTP_302_FOUND
+    assert response["Location"].startswith(f"{CANONICAL_URL}/some/path/?")
+    assert "foo=bar" in response["Location"]
+    assert "baz=qux" in response["Location"]
+
+
+def test_api_path_bypasses_redirect_checks(rf, settings, middleware):
+    """API routes still follow the same redirect setting behavior."""
+    settings.SITE_BASE_URL = CANONICAL_URL
+    settings.CANONICAL_HOSTNAME_REDIRECT_ENABLED = True
+    request = rf.get("/api/v1/topics/", SERVER_NAME=WRONG_HOST)
+    response = middleware(request)
+    assert response.status_code == status.HTTP_302_FOUND
+    assert response["Location"] == f"{CANONICAL_URL}/api/v1/topics/"
+
+
+def test_hostname_redirect_checks_actual_http_host(rf, settings, middleware):
+    """Redirect decision is based on actual HTTP_HOST, not X-Forwarded-Host.
+
+    This prevents infinite redirects when X-Forwarded-Host persists through
+    redirects in proxy scenarios. The middleware checks the real incoming
+    HTTP_HOST header, not Django's interpretation via request.get_host()
+    which respects USE_X_FORWARDED_HOST.
+    """
+    settings.SITE_BASE_URL = CANONICAL_URL
+    settings.CANONICAL_HOSTNAME_REDIRECT_ENABLED = True
+    # Create request with wrong actual HTTP_HOST
+    request = rf.get("/some/path/")
+    # Manually set the actual HTTP_HOST to a non-canonical value
+    request.META["HTTP_HOST"] = WRONG_HOST
+    response = middleware(request)
+    # Should redirect because actual HTTP_HOST doesn't match canonical
+    assert response.status_code == 302
+    assert response["Location"] == f"{CANONICAL_URL}/some/path/"

mitxpro/settings.py

@@ -204,6 +204,7 @@
 
 MIDDLEWARE = (
     "django.middleware.security.SecurityMiddleware",
+    "mitxpro.middleware.HostnameRedirectMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "affiliate.middleware.AffiliateMiddleware",
     "oauth2_provider.middleware.OAuth2TokenMiddleware",
@@ -1516,3 +1517,9 @@
     default=[],
     description="Comma-separated list of email addresses to receive notifications about external data syncs",
 )
+
+CANONICAL_HOSTNAME_REDIRECT_ENABLED = get_bool(
+    name="CANONICAL_HOSTNAME_REDIRECT_ENABLED",
+    default=False,
+    description="Whether to enable redirecting to the canonical hostname defined in SITE_BASE_URL when a request comes in with a different hostname",
+)