522 implement and enforce domain whitelist validation

[Joshua-Ogbonna]

Description

This PR implements domain whitelist validation for sender API endpoints to enhance security by restricting access based on configured domain whitelists.

Added domain whitelist middleware that validates Origin/Referer headers against sender's configured domain whitelist. Created domain utility functions for extraction, normalization, and validation with subdomain support. Updated CORS middleware to respect domain whitelist for proper origin validation.

References

Closes #522

Testing

Unit tests added for domain utilities and middleware validation. Integration tests verified with real API calls using curl on localhost:8000. Tested with both JWT and API key authentication methods.

Manual testing steps:

1. Test whitelisted domain access (should return 200 OK)
2. Test non-whitelisted domain access (should return 403 Forbidden)
3. Test subdomain access (should be allowed if parent domain is whitelisted)
4. Test backward compatibility with empty whitelist (should allow all domains)

Environment: Go 1.24.6, macOS, PostgreSQL 16

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation and tests for new/changed functionality in this PR
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not main

By submitting a PR, I agree to Paycrest's Contributor Code of Conduct and Contribution Guide.

Summary by CodeRabbit

• New Features
  • Sender route domain whitelisting enforced (including subdomain support) and Slack "approve" flow for KYB submissions with immediate status updates, notifications, and email alerts.
• Improvements
  • Per-route CORS: dynamic origin validation, expanded allowed headers (API-Key, Client-Type), better OPTIONS/preflight handling and logging.
• Tests
  • Added tests covering domain whitelist behavior and domain utility logic.
• Chores
  • Disabled temporary build-cache mount in development compose setup.

[coderabbitai]

Walkthrough

Adds domain extraction utilities, enforces a domain whitelist via new middleware applied to sender routes, refactors CORS to compute per-request allowed origins, adds unit tests, and comments out a tmpfs build-cache mount in docker-compose.yml.

Changes

Cohort / File(s)	Summary
Infrastructure docker-compose.yml	Commented out the server service tmpfs build-cache mount line (tmpfs-cache:/root/.cache/go-build).
Routing Integration routers/index.go	Inserted DomainWhitelistMiddleware into the /v1/sender middleware chain after dynamic auth/OnlySender middlewares.
Middleware — CORS routers/middleware/cors.go	Refactored CORS to compute per-request allowed origin (via sender context or API-Key), centralized header application (setCORSHeaders), expanded allowed headers (adds API-Key, Client-Type), handles OPTIONS preflight, and delegates origin validation to new helpers.
Middleware — Domain Whitelist routers/middleware/domain_whitelist.go	New DomainWhitelistMiddleware() that extracts domain from Origin/Referer, validates against a sender’s DomainWhitelist, logs decisions, and returns 400/403 on malformed or disallowed domains; short-circuits for non-sender paths or missing/inactive sender.
Tests — Middleware routers/middleware/domain_whitelist_test.go	New tests for domain whitelist behavior: empty whitelist allows, exact domain allows, non-whitelisted domain forbidden, and subdomain of whitelisted domain allowed.
Utils — Domain Helpers utils/domain.go	New helpers for parsing/normalizing domains and whitelist checks: ExtractDomainFromOrigin, ExtractDomainFromReferer, ExtractDomainFromRequest, NormalizeDomain, IsSubdomain, IsDomainAllowed.
Tests — Utils utils/domain_test.go	Unit tests for domain helpers covering valid/invalid origins, normalization (www., case), subdomain checks, and whitelist behavior.
Controllers — Slack KYB controllers/index.go	Added approve_ action handling in SlackInteractionHandler: idempotency guard, status updates (user KYB and profile), async Slack response replacement, email and Slack notifications, and logging.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant G as Gin Router
  participant A as Auth MW
  participant D as DomainWhitelist MW
  participant CORS as CORS MW
  participant H as Handler

  Note over C,G: Request to sender route (/v1/sender/...)
  C->>G: HTTP Request (Origin/Referer, maybe API-Key)
  G->>A: DynamicAuth / OnlySender
  A-->>G: Sender context set
  G->>D: DomainWhitelistMiddleware
  D->>D: Extract domain (Origin → Referer) / Validate against whitelist
  alt Allowed
    D-->>G: Next
    G->>CORS: Resolve allowed origin (sender/API-Key)
    CORS->>G: Set CORS headers (handle OPTIONS)
    G->>H: Handler
    H-->>C: 200 OK
  else Not allowed
    D-->>C: 403 Forbidden
  end

Loading

sequenceDiagram
  autonumber
  participant U as User (Slack)
  participant S as Server (SlackInteractionHandler)
  participant DB as KYB Storage
  participant E as Email Service
  participant Slack as Slack API

  Note over U,S: Slack approve_ action
  U->>S: Block action (approve_<id>)
  S->>DB: Check processed status
  alt Already processed
    S-->>U: Respond "already processed"
  else Not processed
    S->>DB: Mark processed (approve)
    S-->>U: "Approving submission..."
    par
      S->>Slack: async replace message (if response_url)
    and
      S->>DB: Update KYB profile/status (Approved)
      S->>E: Send approval email
      S->>Slack: Send approval feedback
    end
    S-->>U: Finalize
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: resolve KYB resubmission Slack interaction issues #544 — Modifies Slack KYB approval/rejection handling in controllers/index.go; strongly related to the approve_ flow changes in this PR.

Suggested reviewers

• chibie
• 5ran6
• onahprosper

Poem

I twitch my nose at headers new,
I parse each Origin, Referer too.
Whitelists guard the carrot field,
Subdomains hop — their safety sealed.
Thump-thump: the sender’s gate held true. 🐇

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The pull request includes unrelated modifications such as commenting out the tmpfs build cache entry in docker-compose.yml and adding Slack interaction approval logic in controllers/index.go, neither of which pertains to the domain whitelist validation objectives.	Please remove or relocate the Docker Compose cache configuration change and the Slack interaction handling updates into separate pull requests so that this PR focuses solely on domain whitelist validation.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly summarizes the main change of implementing and enforcing domain whitelist validation for sender endpoints, matching the core purpose of the pull request without introducing unrelated details or vague phrasing.
Linked Issues Check	✅ Passed	The pull request fully addresses all objectives from issue #522 by adding domain extraction and normalization utilities, implementing the DomainWhitelistMiddleware on sender routes, updating CORS middleware to respect whitelists, providing subdomain support and backward compatibility, and including tests for both utilities and middleware.
Description Check	✅ Passed	The description follows the repository’s template by providing a clear Description section with background and implementation details, a References section linking the issue, a comprehensive Testing section with unit and manual steps plus environment information, and a completed Checklist, ensuring all required information is present.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 522-implement-and-enforce-domain-whitelist-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

routers/middleware/cors.go (1)

29-36: CORS: "*" with credentials is invalid; add Vary and gate credentials.

Per CORS, you cannot use Access-Control-Allow-Origin: * with Allow-Credentials: true. This will break browser CORS and is a security posture smell.

-        ctx.Writer.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
+        ctx.Header("Access-Control-Allow-Origin", allowedOrigin)
         ctx.Writer.Header().Set("Access-Control-Max-Age", "86400")
         ctx.Writer.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, UPDATE")
         ctx.Writer.Header().Set("Access-Control-Allow-Headers", "Origin, Content-Type, api_key, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, API-Key, Client-Type")
         ctx.Writer.Header().Set("Access-Control-Expose-Headers", "Content-Length")
-        ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+        // CORS best practice: gate credentials and add Vary
+        if allowedOrigin != "*" {
+            ctx.Header("Vary", "Origin, Access-Control-Request-Method, Access-Control-Request-Headers")
+            ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+        } else {
+            ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "false")
+        }

🧹 Nitpick comments (11)

routers/middleware/cors.go (4)

94-101: Mirror CORS fixes for API‑Key CORS path.

Apply the same credentials gating + Vary header here too.

-        ctx.Writer.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
+        ctx.Header("Access-Control-Allow-Origin", allowedOrigin)
         ctx.Writer.Header().Set("Access-Control-Max-Age", "86400")
         ctx.Writer.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, UPDATE")
         ctx.Writer.Header().Set("Access-Control-Allow-Headers", "Origin, Content-Type, api_key, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, API-Key, Client-Type")
         ctx.Writer.Header().Set("Access-Control-Expose-Headers", "Content-Length")
-        ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+        if allowedOrigin != "*" {
+            ctx.Header("Vary", "Origin, Access-Control-Request-Method, Access-Control-Request-Headers")
+            ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+        } else {
+            ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "false")
+        }

---

118-126: Minor: Avoid parsing empty API key.

Check for empty API-Key before uuid.Parse to skip needless parsing.

-    apiKey := ctx.GetHeader("API-Key")
-    apiKeyUUID, err := uuid.Parse(apiKey)
-    if err != nil {
-        return "*"
-    }
-
-    if apiKey == "" {
-        return "*"
-    }
+    apiKey := ctx.GetHeader("API-Key")
+    if apiKey == "" {
+        return "*"
+    }
+    apiKeyUUID, err := uuid.Parse(apiKey)
+    if err != nil {
+        return "*"
+    }

---

37-43: Use project logger for OPTIONS logs; reduce noise.

Swap log.Println("OPTIONS") for your structured logger at debug level to keep logs consistent.

---

25-27: Route detection via substring is brittle.

strings.Contains(path, "/sender/") can false‑match. Prefer mounting this middleware only on the sender route group or using a robust prefix check.

Also applies to: 90-92

utils/domain.go (3)

3-6: Prepare to strip ports during normalization.

Add net import to support port-stripping in NormalizeDomain.

-import (
-    "net/url"
-    "strings"
-)
+import (
+    "net"
+    "net/url"
+    "strings"
+)

---

51-57: Normalize domains by stripping ports and IPv6 brackets.

This lets whitelist entries like "example.com" match origins like "https://example.com:3000" and handles IPv6 hosts.

     domain = strings.ToLower(domain)
     if strings.HasPrefix(domain, "www.") {
         domain = domain[4:]
     }
 
-    return domain
+    // Strip port if present (e.g., example.com:3000 or [::1]:3000)
+    if h, _, err := net.SplitHostPort(domain); err == nil {
+        domain = h
+    } else if strings.HasPrefix(domain, "[") && strings.HasSuffix(domain, "]") {
+        // IPv6 host without port like [::1]
+        domain = strings.Trim(domain, "[]")
+    }
+    return domain

---

70-93: Confirm desired behavior for empty/invalid headers.

Current logic allows when requestDomain is empty or parsing fails upstream. If a whitelist is configured, consider default‑deny on parse errors to avoid easy bypass via malformed headers (non‑browser clients).

Do you want me to adjust IsDomainAllowed to treat parse errors as deny when whitelist is non‑empty? I can provide a patch and tests.

routers/middleware/domain_whitelist_test.go (1)

35-66: Consider adding port and referer scenarios.

Add cases for:

• Origin with port (https://example.com:8443) vs whitelist ["example.com"].
• Missing Origin with Referer present.
• Invalid Origin when whitelist is non‑empty (expect 403 if you adopt default‑deny on parse errors).

I can extend the table tests if you want a patch.

utils/domain_test.go (1)

103-156: Add host:port matching tests to lock in behavior after normalization change.

Propose tests:

• requestDomain "example.com:3000", whitelist ["example.com"] -> true
• requestDomain "[::1]:3000", whitelist ["::1"] -> true

I can add these table rows if you proceed with port-stripping normalization.

routers/middleware/domain_whitelist.go (2)

114-124: Apply the same default‑deny on parse errors for API‑Key path.

Mirror the fail‑closed behavior for API‑key middleware.

-        requestDomain, err := u.ExtractDomainFromRequest(origin, referer)
-        if err != nil {
-            logger.WithFields(logger.Fields{
-                "origin":  origin,
-                "referer": referer,
-                "error":   err.Error(),
-            }).Warnf("Failed to extract domain from request headers")
-
-            c.Next()
-            return
-        }
+        requestDomain, err := u.ExtractDomainFromRequest(origin, referer)
+        if err != nil {
+            logger.WithFields(logger.Fields{
+                "origin":  origin,
+                "referer": referer,
+                "error":   err.Error(),
+            }).Warnf("Failed to extract domain from request headers")
+            if len(senderProfile.DomainWhitelist) > 0 {
+                u.APIResponse(c, http.StatusForbidden, "error",
+                    "Access denied: Invalid Origin/Referer header", map[string]interface{}{
+                        "origin": origin, "referer": referer,
+                    })
+                c.Abort()
+                return
+            }
+            c.Next()
+            return
+        }

---

78-89: Operational: Avoid duplicate DB lookups by caching sender in context.

If API‑Key auth already resolved the sender elsewhere, consider setting it in context and reusing rather than re‑querying here.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ffbf5b0 and 2f85f43.

📒 Files selected for processing (7)

• docker-compose.yml (1 hunks)
• routers/index.go (1 hunks)
• routers/middleware/cors.go (2 hunks)
• routers/middleware/domain_whitelist.go (1 hunks)
• routers/middleware/domain_whitelist_test.go (1 hunks)
• utils/domain.go (1 hunks)
• utils/domain_test.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (5)

routers/index.go (1)

routers/middleware/domain_whitelist.go (1)

• DomainWhitelistMiddleware (17-76)

routers/middleware/domain_whitelist_test.go (1)

routers/middleware/domain_whitelist.go (1)

• DomainWhitelistMiddleware (17-76)

utils/domain_test.go (1)

utils/domain.go (3)

• ExtractDomainFromOrigin (8-19)
• NormalizeDomain (46-57)
• IsDomainAllowed (70-93)

routers/middleware/domain_whitelist.go (3)

utils/domain.go (2)

• ExtractDomainFromRequest (34-44)
• IsDomainAllowed (70-93)

utils/logger/logger.go (4)

• WithFields (76-109)
• Fields (73-73)
• Warnf (133-138)
• Debugf (117-122)

utils/http.go (1)

• APIResponse (23-29)

routers/middleware/cors.go (2)

utils/domain.go (2)

• ExtractDomainFromOrigin (8-19)
• IsDomainAllowed (70-93)

ent/client.go (1)

• Client (48-104)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-test

🔇 Additional comments (5)

docker-compose.yml (1)

41-41: Remove dead tmpfs-cache volume configuration
Remove the commented-out mount (line 41) and the unused named volume definition (lines 52–56) to avoid dead config.

 services:
@@
     volumes:
       - .:/app
-     #  - tmpfs-cache:/root/.cache/go-build  # Add tmpfs volume for build cache
@@
-# Define volumes
-volumes:
-  tmpfs-cache:
-    driver: local
-    driver_opts:
-      type: tmpfs
-      device: tmpfs

routers/index.go (2)

127-129: LGTM: Whitelist middleware mounted on sender routes.

Good placement after auth and OnlySender. This enforces domain checks where intended.

---

123-129: No additional whitelist middleware needed for API-Key flows
DynamicAuthMiddleware invokes APIKeyMiddleware for “/sender/” requests, setting sender in context before DomainWhitelistMiddleware, so API-Key requests are already subject to domain whitelist enforcement.

routers/middleware/domain_whitelist_test.go (1)

24-33: Nice: Focused middleware test harness.

Injecting a mock sender into context and exercising the whitelist permutations is clean and effective.

utils/domain_test.go (1)

7-44: Solid coverage for ExtractDomainFromOrigin.

Good mix of valid/invalid and empty inputs.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

routers/middleware/cors.go (1)

21-23: Path check is brittle

strings.Contains on URL path can misfire. Prefer group-based middleware or HasPrefix on a known base path (e.g., /v1/sender/).

routers/middleware/domain_whitelist.go (1)

19-22: Path gating could be more precise

Use router grouping or c.FullPath() and prefix match to avoid accidental matches on paths that merely contain “/sender/”.

Also applies to: 24-28, 32-35

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f85f43 and e5bd4be.

📒 Files selected for processing (2)

• routers/middleware/cors.go (1 hunks)
• routers/middleware/domain_whitelist.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

routers/middleware/cors.go (2)

utils/domain.go (2)

• ExtractDomainFromOrigin (8-19)
• IsDomainAllowed (70-93)

ent/client.go (1)

• Client (48-104)

routers/middleware/domain_whitelist.go (3)

utils/domain.go (2)

• ExtractDomainFromRequest (34-44)
• IsDomainAllowed (70-93)

utils/logger/logger.go (4)

• WithFields (76-109)
• Fields (73-73)
• Warnf (133-138)
• Debugf (117-122)

utils/http.go (1)

• APIResponse (23-29)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-test

🔇 Additional comments (5)

routers/middleware/cors.go (2)

37-49: Duplicate domain/whitelist logic with DomainWhitelist middleware

getCORSOrigin/validateDomain* repeat checks already in DomainWhitelistMiddleware. Extract a shared helper (e.g., utils.ResolveAllowedOrigin) to remove duplication.

---

79-83: Fix: ent .Only requires stdlib context, not gin.Context

Replace .Only(ctx) with the request context to compile.

-        .Only(ctx)
+        .Only(ctx.Request.Context())

routers/middleware/domain_whitelist.go (3)

40-57: LGTM: Fail-closed behavior when whitelist configured

Good: invalid Origin/Referer now blocks when a whitelist exists; permissive only when empty whitelist.

---

59-74: LGTM: Explicit 403 on whitelist violations with useful context logs

Clear response and structured logs.

---

104-108: Fix: ent .Only requires stdlib context, not gin.Context

Replace .Only(c) with request context.

-            .Only(c)
+            .Only(c.Request.Context())

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 21f4f38 and 5074107.

📒 Files selected for processing (2)

• controllers/index.go (1 hunks)
• routers/index.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• routers/index.go

🧰 Additional context used

🧬 Code graph analysis (1)

controllers/index.go (6)

utils/logger/logger.go (3)

• Warnf (133-138)
• Errorf (141-146)
• Infof (125-130)

ent/kybprofile/where.go (3)

• CompanyName (75-77)
• IDEQ (20-22)
• ID (15-17)

ent/client.go (1)

• Client (48-104)

storage/database.go (1)

• Client (21-21)

ent/user/where.go (2)

• IDEQ (20-22)
• ID (15-17)

ent/user/user.go (1)

• KybVerificationStatusApproved (140-140)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-test