Extend vaadin.devmode.hostsAllowed to not only IP adresses

[RSM-CWI]

Describe your motivation

Even in development we are using https and OIDC/Oauth2 so our url are neither "localhost" nor some IP adress. They look like this:
https://machinename.intern.company.de:8441

so Vaadin CoPilot and DevTools will not work...

vaadin.devmode.hostsAllowed= just accepts IP Adresse

Describe the solution you'd like

I'd expect to allow something like this:

vaadin.devmode.hostsAllowed=https://machinename.intern.company.de:8441
or
vaadin.devmode.hostsAllowed=*.company.de
or whatever so that the logical urls can make use of the vaadin def tools aswell.

Describe alternatives you've considered

No response

Additional context

No response

[mcollovati]

The current check is done against servlet request HttpServletRequest.getRemoteAddr() and X-Forwarded-For header.
Getting the client hostname could potentially be done via HttpServletRequest.getRemoteHost(), but it is most likely that the method will instead return the same as getRemoteAddr, especially if there are proxy servers between the client and the application server.

Here's a quote from Javadoc

Returns the fully qualified name of the client or the last proxy that sent the request. If the engine cannot or chooses not to resolve the hostname (to improve performance), this method returns the dotted-string form of the IP address.

We can potentially do some sort of reverse DNS lookup (e.g. InetAddress.getAllByName()), but it still may not work as expected because the local resolver might not provide any results, or it may give several hostnames, but not the client one.
In addition, this will slow down the initial request.

[RSM-CWI]

Questions:

1. How does "localhost" differ from "mycomputer.company.tld"?
2. Why do you restrict copilot to localhost anyways? Just restrict it from production mode! Or to Developm,ent Mode...
   Am I missing someting? @mcollovati

[mcollovati]

Note: I edited the previous comment because there was a typo.

DevTools are enabled only in development mode and if vaadin.devmode.devTools.enabled is not set or set to true.
When accessing the application on localhost, you connect through a loopback interface, so DNS resolution is not required to determine whether the host should be allowed or not. Connecting using a hostname will most likely return a local IP address; getRemoteHost() may give you a host name, but it could also return the same IP address as you get from getRemoteAddr(). Anyway, to resolve the hostname, a DNS lookup is still required, would it be done by the servlet container or by Vaadin code. Additionally, you may have multiple hostnames defined for the local IP address, so Vaadin should potentially try to check all of them.
And this is when directly connecting to the application server. If there are proxy in the middle, it becomes more complicated.

Restriction in development mode is done to prevent access to other devices on the same network, when the application server is bound to public network interfaces.
However, if you trust your network, you can set vaadin.devmode.hostsAllowed=* to allow access to everyone.

I hope this answers your questions.

[Artur-]

Do note that all hosts you allow to connect can make changes to the project files on your disk. Copilot uses the communications channel to update files, and the restriction is in place to avoid that anybody you share your development URL with can modify your code.

[RSM-CWI]

First of all: vaadin.devmode.hostsAllowed=* works fine! Thanks (unfortunately just in application.properties, not in application.yaml , but I do not mind toooooo hard ;-)) And @Artur- I'll take the risk.
I understand both of you.
@mcollovati I (and I assume many customers developing OIDC based apps) would appreciate, if you could put some extra efford in finding an efficient way to match the DNS names to the hostsAllowed. Thanks again.
Probably it would be a good idea to not allow wildcards so that every developer has to apply their own machine url. That probaly would make the mathcing easier...?!?