feat(server): support multiple hosts in one deployment

Author: fengmk2

.docker/selfhost/schema.json

@@ -540,6 +540,11 @@
           "description": "Where the server get deployed(FQDN).\n@default \"localhost\"\n@environment `AFFINE_SERVER_HOST`",
           "default": "localhost"
         },
+        "hosts": {
+          "type": "array",
+          "description": "Multiple hosts the server will accept requests from.\n@default []",
+          "default": []
+        },
         "port": {
           "type": "number",
           "description": "Which port the server will listen on.\n@default 3010\n@environment `AFFINE_SERVER_PORT`",

.github/actions/deploy/deploy.mjs

@@ -126,7 +126,10 @@ const createHelmCommand = ({ isDryRun }) => {
         ? 'internal'
         : 'dev';
 
-  const host = DEPLOY_HOST || CANARY_DEPLOY_HOST;
+  const hosts = (DEPLOY_HOST || CANARY_DEPLOY_HOST)
+    .split(',')
+    .map(host => host.trim())
+    .filter(host => host);
   const deployCommand = [
     `helm upgrade --install affine .github/helm/affine`,
     `--namespace  ${namespace}`,
@@ -135,22 +138,24 @@ const createHelmCommand = ({ isDryRun }) => {
     `--set-string global.app.buildType="${buildType}"`,
     `--set        global.ingress.enabled=true`,
     `--set-json   global.ingress.annotations="{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }"`,
-    `--set-string global.ingress.host="${host}"`,
+    ...hosts.map(
+      (host, index) => `--set global.ingress.hosts[${index}]=${host}`
+    ),
     `--set-string global.version="${APP_VERSION}"`,
     ...redisAndPostgres,
     ...indexerOptions,
     `--set        web.replicaCount=${replica.web}`,
     `--set-string web.image.tag="${imageTag}"`,
     `--set        graphql.replicaCount=${replica.graphql}`,
     `--set-string graphql.image.tag="${imageTag}"`,
-    `--set        graphql.app.host=${host}`,
+    `--set        graphql.app.host=${hosts[0]}`,
     `--set        sync.replicaCount=${replica.sync}`,
     `--set-string sync.image.tag="${imageTag}"`,
     `--set-string renderer.image.tag="${imageTag}"`,
-    `--set        renderer.app.host=${host}`,
+    `--set        renderer.app.host=${hosts[0]}`,
     `--set        renderer.replicaCount=${replica.renderer}`,
     `--set-string doc.image.tag="${imageTag}"`,
-    `--set        doc.app.host=${host}`,
+    `--set        doc.app.host=${hosts[0]}`,
     `--set        doc.replicaCount=${replica.doc}`,
     ...serviceAnnotations,
     ...resources,

.github/helm/affine/templates/ingress.yaml

@@ -36,7 +36,8 @@ spec:
     {{- end }}
   {{- end }}
   rules:
-    - host: "{{ .Values.global.ingress.host }}"
+    {{- range .Values.global.ingress.hosts }}
+    - host: {{ . | quote }}
       http:
         paths:
           - path: /socket.io
@@ -45,33 +46,34 @@ spec:
               service:
                 name: affine-sync
                 port:
-                  number: {{ .Values.sync.service.port }}
+                  number: {{ $.Values.sync.service.port }}
           - path: /graphql
             pathType: Prefix
             backend:
               service:
                 name: affine-graphql
                 port:
-                  number: {{ .Values.graphql.service.port }}
+                  number: {{ $.Values.graphql.service.port }}
           - path: /api
             pathType: Prefix
             backend:
               service:
                 name: affine-graphql
                 port:
-                  number: {{ .Values.graphql.service.port }}
+                  number: {{ $.Values.graphql.service.port }}
           - path: /workspace
             pathType: Prefix
             backend:
               service:
                 name: affine-renderer
                 port:
-                  number: {{ .Values.renderer.service.port }}
+                  number: {{ $.Values.renderer.service.port }}
           - path: /
             pathType: Prefix
             backend:
               service:
                 name: affine-web
                 port:
-                  number: {{ .Values.web.service.port }}
+                  number: {{ $.Values.web.service.port }}
+    {{- end }}
 {{- end }}

.github/helm/affine/values.yaml

@@ -4,7 +4,13 @@ global:
   ingress:
     enabled: false
     className: ''
-    host: affine.pro
+    # hosts for ingress rules
+    # e.g.
+    # hosts:
+    #  - affine.pro
+    #  - www.affine.pro
+    hosts:
+      - affine.pro
     tls: []
   secret:
     secretName: 'server-private-key'

packages/backend/server/src/__tests__/oauth/controller.spec.ts

@@ -37,6 +37,10 @@ test.before(async t => {
             },
           },
         },
+        server: {
+          hosts: ['localhost', 'test.affine.dev'],
+          https: true,
+        },
       }),
       AppModule,
     ],
@@ -90,6 +94,38 @@ test("should be able to redirect to oauth provider's login page", async t => {
   );
 });
 
+test('should be able to redirect to oauth provider with multiple hosts', async t => {
+  const { app } = t.context;
+
+  const res = await app
+    .POST('/api/oauth/preflight')
+    .set('host', 'test.affine.dev')
+    .send({ provider: 'Google' })
+    .expect(HttpStatus.OK);
+
+  const { url } = res.body;
+
+  const redirect = new URL(url);
+  t.is(redirect.origin, 'https://accounts.google.com');
+
+  t.is(redirect.pathname, '/o/oauth2/v2/auth');
+  t.is(redirect.searchParams.get('client_id'), 'google-client-id');
+  t.is(
+    redirect.searchParams.get('redirect_uri'),
+    'https://test.affine.dev/oauth/callback'
+  );
+  t.is(redirect.searchParams.get('response_type'), 'code');
+  t.is(redirect.searchParams.get('prompt'), 'select_account');
+  t.truthy(redirect.searchParams.get('state'));
+  // state should be a json string
+  const state = JSON.parse(redirect.searchParams.get('state')!);
+  t.is(state.provider, 'Google');
+  t.regex(
+    state.state,
+    /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
+  );
+});
+
 test('should be able to redirect to oauth provider with client_nonce', async t => {
   const { app } = t.context;
 

packages/backend/server/src/app.module.ts

@@ -8,6 +8,7 @@ import { ClsModule } from 'nestjs-cls';
 
 import { AppController } from './app.controller';
 import {
+  getRequestFromHost,
   getRequestIdFromHost,
   getRequestIdFromRequest,
   ScannerModule,
@@ -66,8 +67,9 @@ export const FunctionalityModules = [
         // make every request has a unique id to tracing
         return getRequestIdFromRequest(req, 'http');
       },
-      setup(cls, _req, res: Response) {
+      setup(cls, req: Request, res: Response) {
         res.setHeader('X-Request-Id', cls.getId());
+        cls.set(CLS_REQUEST_HOST, req.hostname);
       },
     },
     // for websocket connection
@@ -79,6 +81,10 @@ export const FunctionalityModules = [
         // make every request has a unique id to tracing
         return getRequestIdFromHost(context);
       },
+      setup(cls, context: ExecutionContext) {
+        const req = getRequestFromHost(context);
+        cls.set(CLS_REQUEST_HOST, req.hostname);
+      },
     },
     plugins: [
       // https://papooch.github.io/nestjs-cls/plugins/available-plugins/transactional/prisma-adapter

packages/backend/server/src/base/helpers/__tests__/url.spec.ts

@@ -12,6 +12,7 @@ test.beforeEach(async t => {
     server: {
       externalUrl: '',
       host: 'app.affine.local',
+      hosts: [],
       port: 3010,
       https: true,
       path: '',
@@ -28,6 +29,7 @@ test('can factor base url correctly with specified external url', t => {
     server: {
       externalUrl: 'https://external.domain.com',
       host: 'app.affine.local',
+      hosts: [],
       port: 3010,
       https: true,
       path: '/ignored',
@@ -42,6 +44,7 @@ test('can factor base url correctly with specified external url and path', t =>
     server: {
       externalUrl: 'https://external.domain.com/anything',
       host: 'app.affine.local',
+      hosts: [],
       port: 3010,
       https: true,
       path: '/ignored',
@@ -56,6 +59,7 @@ test('can factor base url correctly with specified external url with port', t =>
     server: {
       externalUrl: 'https://external.domain.com:123',
       host: 'app.affine.local',
+      hosts: [],
       port: 3010,
       https: true,
     },
@@ -95,7 +99,7 @@ test('can safe redirect', t => {
 
   function deny(to: string) {
     t.context.url.safeRedirect(res, to);
-    t.true(spy.calledOnceWith(t.context.url.home));
+    t.true(spy.calledOnceWith(t.context.url.baseUrl));
     spy.resetHistory();
   }
 
@@ -106,3 +110,38 @@ test('can safe redirect', t => {
   ].forEach(allow);
   ['https://other.domain.com', 'a://invalid.uri'].forEach(deny);
 });
+
+test('can get request origin', t => {
+  t.is(t.context.url.requestOrigin, 'https://app.affine.local');
+});
+
+test('can get request base url', t => {
+  t.is(t.context.url.requestBaseUrl, 'https://app.affine.local');
+});
+
+test('can get request base url with multiple hosts', t => {
+  // mock cls
+  const cls = new Map<string, string>();
+  const url = new URLHelper(
+    {
+      server: {
+        externalUrl: '',
+        host: 'app.affine.local1',
+        hosts: ['app.affine.local1', 'app.affine.local2'],
+        port: 3010,
+        https: true,
+        path: '',
+      },
+    } as any,
+    cls as any
+  );
+
+  // no cls, use default origin
+  t.is(url.requestOrigin, 'https://app.affine.local1');
+  t.is(url.requestBaseUrl, 'https://app.affine.local1');
+
+  // set cls
+  cls.set(CLS_REQUEST_HOST, 'app.affine.local2');
+  t.is(url.requestOrigin, 'https://app.affine.local2');
+  t.is(url.requestBaseUrl, 'https://app.affine.local2');
+});

packages/backend/server/src/base/helpers/url.ts

@@ -2,6 +2,7 @@ import { isIP } from 'node:net';
 
 import { Injectable } from '@nestjs/common';
 import type { Response } from 'express';
+import { ClsService } from 'nestjs-cls';
 
 import { Config } from '../config';
 import { OnEvent } from '../event';
@@ -11,10 +12,13 @@ export class URLHelper {
   redirectAllowHosts!: string[];
 
   origin!: string;
+  allowedOrigins!: string[];
   baseUrl!: string;
-  home!: string;
 
-  constructor(private readonly config: Config) {
+  constructor(
+    private readonly config: Config,
+    private readonly cls?: ClsService
+  ) {
     this.init();
   }
 
@@ -34,19 +38,40 @@ export class URLHelper {
       this.baseUrl =
         externalUrl.origin + externalUrl.pathname.replace(/\/$/, '');
     } else {
-      this.origin = [
-        this.config.server.https ? 'https' : 'http',
-        '://',
-        this.config.server.host,
-        this.config.server.host === 'localhost' || isIP(this.config.server.host)
-          ? `:${this.config.server.port}`
-          : '',
-      ].join('');
+      this.origin = this.convertHostToOrigin(this.config.server.host);
       this.baseUrl = this.origin + this.config.server.path;
     }
 
-    this.home = this.baseUrl;
     this.redirectAllowHosts = [this.baseUrl];
+
+    this.allowedOrigins = [this.origin];
+    if (this.config.server.hosts.length > 0) {
+      for (const host of this.config.server.hosts) {
+        this.allowedOrigins.push(this.convertHostToOrigin(host));
+      }
+    }
+  }
+
+  get requestOrigin() {
+    if (this.config.server.hosts.length === 0) {
+      return this.origin;
+    }
+
+    // support multiple hosts
+    const requestHost = this.cls?.get<string | undefined>(CLS_REQUEST_HOST);
+    if (!requestHost || !this.config.server.hosts.includes(requestHost)) {
+      return this.origin;
+    }
+
+    return this.convertHostToOrigin(requestHost);
+  }
+
+  get requestBaseUrl() {
+    if (this.config.server.hosts.length === 0) {
+      return this.baseUrl;
+    }
+
+    return this.requestOrigin + this.config.server.path;
   }
 
   stringify(query: Record<string, any>) {
@@ -72,7 +97,7 @@ export class URLHelper {
   }
 
   url(path: string, query: Record<string, any> = {}) {
-    const url = new URL(path, this.origin);
+    const url = new URL(path, this.requestOrigin);
 
     for (const key in query) {
       url.searchParams.set(key, query[key]);
@@ -87,7 +112,7 @@ export class URLHelper {
 
   safeRedirect(res: Response, to: string) {
     try {
-      const finalTo = new URL(decodeURIComponent(to), this.baseUrl);
+      const finalTo = new URL(decodeURIComponent(to), this.requestBaseUrl);
 
       for (const host of this.redirectAllowHosts) {
         const hostURL = new URL(host);
@@ -103,7 +128,7 @@ export class URLHelper {
     }
 
     // redirect to home if the url is invalid
-    return res.redirect(this.home);
+    return res.redirect(this.baseUrl);
   }
 
   verify(url: string | URL) {
@@ -118,4 +143,13 @@ export class URLHelper {
       return false;
     }
   }
+
+  private convertHostToOrigin(host: string) {
+    return [
+      this.config.server.https ? 'https' : 'http',
+      '://',
+      host,
+      host === 'localhost' || isIP(host) ? `:${this.config.server.port}` : '',
+    ].join('');
+  }
 }