From 60162af52e9c14f23c8ec02bee53cbe5fd9f7fae Mon Sep 17 00:00:00 2001
From: Alex Thillen <alexthillen852@gmail.com>
Date: Mon, 10 Jul 2023 14:34:55 +0200
Subject: [PATCH 1/4] add disable-origin-check flag

---
 src/node/cli.ts  | 7 +++++++
 src/node/http.ts | 4 +++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/node/cli.ts b/src/node/cli.ts
index 37ff3628b2d8..8bb1ea058636 100644
--- a/src/node/cli.ts
+++ b/src/node/cli.ts
@@ -47,6 +47,7 @@ export interface UserProvidedCodeArgs {
   "show-versions"?: boolean
   category?: string
   "github-auth"?: string
+  "disable-authenticate-origin"?: boolean
   "disable-update-check"?: boolean
   "disable-file-downloads"?: boolean
   "disable-workspace-trust"?: boolean
@@ -164,6 +165,12 @@ export const options: Options<Required<UserProvidedArgs>> = {
   "session-socket": {
     type: "string",
   },
+  "disable-authenticate-origin": {
+    type: "boolean",
+    description:
+      "Disable check that the origin of the request is the same as the host. Notice that this disables a safety feature. \n" +
+      "(Useful when using a reverse proxy)",
+  },
   "disable-file-downloads": {
     type: "boolean",
     description:
diff --git a/src/node/http.ts b/src/node/http.ts
index 1885fef562fa..61390020aaa0 100644
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -327,7 +327,9 @@ function getFirstHeader(req: http.IncomingMessage, headerName: string): string |
  */
 export function ensureOrigin(req: express.Request, _?: express.Response, next?: express.NextFunction): void {
   try {
-    authenticateOrigin(req)
+    if (!req.args["disable-authenticate-origin"]) {
+      authenticateOrigin(req)
+    }
     if (next) {
       next()
     }

From e3bd5f00ded2ac742f31f66f7114f2624dac823a Mon Sep 17 00:00:00 2001
From: Alex Thillen <alexthillen852@gmail.com>
Date: Tue, 11 Jul 2023 13:10:40 +0200
Subject: [PATCH 2/4] trusted origins flag instead

---
 src/node/cli.ts  | 12 ++++++------
 src/node/http.ts |  9 ++++++---
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/node/cli.ts b/src/node/cli.ts
index 8bb1ea058636..1c3a6e3e1f42 100644
--- a/src/node/cli.ts
+++ b/src/node/cli.ts
@@ -80,6 +80,7 @@ export interface UserProvidedArgs extends UserProvidedCodeArgs {
   "bind-addr"?: string
   socket?: string
   "socket-mode"?: string
+  "trusted-origins"?: string[]
   version?: boolean
   "proxy-domain"?: string[]
   "reuse-window"?: boolean
@@ -165,12 +166,6 @@ export const options: Options<Required<UserProvidedArgs>> = {
   "session-socket": {
     type: "string",
   },
-  "disable-authenticate-origin": {
-    type: "boolean",
-    description:
-      "Disable check that the origin of the request is the same as the host. Notice that this disables a safety feature. \n" +
-      "(Useful when using a reverse proxy)",
-  },
   "disable-file-downloads": {
     type: "boolean",
     description:
@@ -215,6 +210,11 @@ export const options: Options<Required<UserProvidedArgs>> = {
 
   socket: { type: "string", path: true, description: "Path to a socket (bind-addr will be ignored)." },
   "socket-mode": { type: "string", description: "File mode of the socket." },
+  "trusted-origins": {
+    type: "string[]",
+    description:
+      "Disables authenticate origin check for trusted origin. Useful if not able to access reverse proxy configuration.",
+  },
   version: { type: "boolean", short: "v", description: "Display version information." },
   _: { type: "string[]" },
 
diff --git a/src/node/http.ts b/src/node/http.ts
index 61390020aaa0..4158f0b81dc9 100644
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -327,9 +327,7 @@ function getFirstHeader(req: http.IncomingMessage, headerName: string): string |
  */
 export function ensureOrigin(req: express.Request, _?: express.Response, next?: express.NextFunction): void {
   try {
-    if (!req.args["disable-authenticate-origin"]) {
-      authenticateOrigin(req)
-    }
+    authenticateOrigin(req)
     if (next) {
       next()
     }
@@ -357,6 +355,11 @@ export function authenticateOrigin(req: express.Request): void {
     throw new Error(`unable to parse malformed origin "${originRaw}"`)
   }
 
+  const trustedOrigins = req.args["trusted-origins"] || []
+  if (trustedOrigins.includes(origin) || trustedOrigins.includes("*")) {
+    return
+  }
+
   const host = getHost(req)
   if (typeof host === "undefined") {
     // A missing host likely means the reverse proxy has not been configured to

From c698d6b65e4f69d53b72ec1b500c5d47fb46915c Mon Sep 17 00:00:00 2001
From: Asher <ash@coder.com>
Date: Thu, 13 Jul 2023 14:17:36 -0500
Subject: [PATCH 3/4] Remove disable origin check prop from interface

---
 src/node/cli.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/node/cli.ts b/src/node/cli.ts
index 1c3a6e3e1f42..3f3c8086d033 100644
--- a/src/node/cli.ts
+++ b/src/node/cli.ts
@@ -47,7 +47,6 @@ export interface UserProvidedCodeArgs {
   "show-versions"?: boolean
   category?: string
   "github-auth"?: string
-  "disable-authenticate-origin"?: boolean
   "disable-update-check"?: boolean
   "disable-file-downloads"?: boolean
   "disable-workspace-trust"?: boolean

From 02c11d5bff353128b419aeb8cb582eb5420fa6bc Mon Sep 17 00:00:00 2001
From: Alex Thillen <alexthillen852@gmail.com>
Date: Wed, 19 Jul 2023 09:06:04 +0200
Subject: [PATCH 4/4] include args in authenticateOrigin http test

---
 test/unit/node/http.test.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/unit/node/http.test.ts b/test/unit/node/http.test.ts
index 59a09dc87eb1..d15633a28329 100644
--- a/test/unit/node/http.test.ts
+++ b/test/unit/node/http.test.ts
@@ -70,6 +70,7 @@ describe("http", () => {
               origin: test.origin,
               [key]: value,
             },
+            args: {},
           })
           if (typeof test.expected === "string") {
             expect(() => http.authenticateOrigin(req)).toThrow(test.expected)