From 77a7c7a2101dc2223f3b63982a994f7884b468f4 Mon Sep 17 00:00:00 2001
From: Matthias Mohr <m.mohr@uni-muenster.de>
Date: Fri, 12 May 2023 16:17:26 +0200
Subject: [PATCH] Apply allowedDomains to headers and query parameters #313

---
 README.md          |  5 ++++-
 src/store/utils.js | 13 ++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 5a16299a..d0c874dd 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,7 @@ Must be set to `true` if a `catalogUrl` is not given as otherwise you won't be a
 #### allowedDomains
 
 You can list additional domains (e.g. `example.com`) that private data is sent to, e.g. authentication data.
+This applies to query paramaters and request headers.
 
 #### apiCatalogPriority
 
@@ -332,6 +333,7 @@ The value for the [`crossorigin` attribute](https://developer.mozilla.org/en-US/
 ***experimental***
 
 The headers given in this option are added to all requests that are sent to the selected STAC catalog or API.
+This is affected by [`allowedDomains`](#alloweddomains).
 
 Example: `{'Authorization': 'Bearer 134567984623223'}` adds a Bearer token to the HTTP headers.
 
@@ -342,6 +344,7 @@ Please note that this option can only be provided through a config file and is n
 ***experimental***
 
 The query parameters given in this option are added to all requests that are sent to the selected STAC catalog or API.
+This is affected by [`allowedDomains`](#alloweddomains).
 
 Example: `{'f': 'json'}` adds a `f` query parameter to the HTTP URL, e.g. `https://example.com?f=json`.
 
@@ -352,7 +355,7 @@ Please note that this option can only be provided through a config file and is n
 ***experimental***
 
 This allows to enable a simple authentication form where a user can input a token, an API key or similar things.
-It is disabled by default (`null`). If enabled, the token provided by the user can be used in the HTTP headers or in the query parameters of the requests.
+It is disabled by default (`null`). If enabled, the token provided by the user can be used in the HTTP headers or in the query parameters of the requests. This option is affected by [`allowedDomains`](#alloweddomains).
 
 There are four options you can set in the `authConfig` object:
 
diff --git a/src/store/utils.js b/src/store/utils.js
index f491f562..fafba039 100644
--- a/src/store/utils.js
+++ b/src/store/utils.js
@@ -16,24 +16,31 @@ export async function stacRequest(cx, link) {
   let headers = {
     'Accept-Language': cx.getters.acceptedLanguages
   };
-  Object.assign(headers, cx.state.requestHeaders);
   if (Utils.isObject(link)) {
     let method = typeof link.method === 'string' ? link.method.toLowerCase() : 'get';
+    let url = cx.getters.getRequestUrl(link.href);
+    if (!cx.getters.isExternalUrl(url)) {
+      Object.assign(headers, cx.state.requestHeaders);
+    }
     if (Utils.isObject(link.headers)) {
       Object.assign(headers, link.headers);
     }
     opts = {
       method,
-      url: cx.getters.getRequestUrl(link.href),
+      url,
       headers,
       data: link.body
       // ToDo: Support for merge property from STAC API
     };
   }
   else if (typeof link === 'string') {
+    let url = cx.getters.getRequestUrl(link);
+    if (!cx.getters.isExternalUrl(url)) {
+      Object.assign(headers, cx.state.requestHeaders);
+    }
     opts = {
       method: 'get',
-      url: cx.getters.getRequestUrl(link),
+      url,
       headers
     };
   }