From 84559a0e7d71c05be9a123a96cf589d0719500c7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 20 Oct 2025 09:48:37 +0200
Subject: [PATCH 1/3] Changes auto-committed by Conductor

---
 app/Http/Middleware/TrustHosts.php            | 25 ++++++
 .../views/components/forms/datalist.blade.php | 10 +--
 tests/Feature/TrustHostsMiddlewareTest.php    | 81 +++++++++++++++++++
 3 files changed, 111 insertions(+), 5 deletions(-)

diff --git a/app/Http/Middleware/TrustHosts.php b/app/Http/Middleware/TrustHosts.php
index c2a2cb41a..080b18acc 100644
--- a/app/Http/Middleware/TrustHosts.php
+++ b/app/Http/Middleware/TrustHosts.php
@@ -4,11 +4,36 @@
 
 use App\Models\InstanceSettings;
 use Illuminate\Http\Middleware\TrustHosts as Middleware;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Cache;
 use Spatie\Url\Url;
 
 class TrustHosts extends Middleware
 {
+    /**
+     * Handle the incoming request.
+     *
+     * Skip host validation for certain routes:
+     * - Terminal auth routes (called by realtime container)
+     * - API routes (use token-based authentication, not host validation)
+     * - Webhook endpoints (use cryptographic signature validation)
+     */
+    public function handle(Request $request, $next)
+    {
+        // Skip host validation for these routes
+        if ($request->is(
+            'terminal/auth',
+            'terminal/auth/ips',
+            'api/*',
+            'webhooks/*'
+        )) {
+            return $next($request);
+        }
+
+        // For all other routes, use parent's host validation
+        return parent::handle($request, $next);
+    }
+
     /**
      * Get the host patterns that should be trusted.
      *
diff --git a/resources/views/components/forms/datalist.blade.php b/resources/views/components/forms/datalist.blade.php
index 5bb12aa8d..05f6ca946 100644
--- a/resources/views/components/forms/datalist.blade.php
+++ b/resources/views/components/forms/datalist.blade.php
@@ -106,7 +106,7 @@ class="flex flex-wrap gap-1.5 max-h-40 overflow-y-auto scrollbar py-1.5 w-full t
                 wire:dirty.class="dark:border-l-warning border-l-coollabs border-l-4">
 
                 {{-- Selected Tags Inside Input --}}
-                <template x-for="value in selected" :key="value">
+                <template x-for="value in (selected || [])" :key="value">
                     <button
                         type="button"
                         @click.stop="removeOption(value, $event)"
@@ -133,13 +133,13 @@ class="flex-1 min-w-[120px] text-sm border-0 outline-none bg-transparent p-0 foc
 <div x-show="open && !{{ $disabled ? 'true' : 'false' }}" x-transition
     class="absolute z-50 w-full mt-1 bg-white dark:bg-coolgray-100 border border-neutral-300 dark:border-coolgray-400 rounded shadow-lg max-h-60 overflow-auto scrollbar">
 
-    <template x-if="filteredOptions.length === 0">
+    <template x-if="(filteredOptions || []).length === 0">
         <div class="px-3 py-2 text-sm text-neutral-500 dark:text-neutral-400">
             No options found
         </div>
     </template>
 
-    <template x-for="option in filteredOptions" :key="option.value">
+    <template x-for="option in (filteredOptions || [])" :key="option.value">
         <div @click="toggleOption(option.value)"
             class="px-3 py-2 cursor-pointer hover:bg-neutral-100 dark:hover:bg-coolgray-200 flex items-center gap-3"
             :class="{ 'bg-neutral-50 dark:bg-coolgray-300': isSelected(option.value) }">
@@ -262,13 +262,13 @@ class="shrink-0 text-neutral-400 px-2 {{ $disabled ? 'cursor-not-allowed' : 'cur
     <div x-show="open && !{{ $disabled ? 'true' : 'false' }}" x-transition
         class="absolute z-50 w-full mt-1 bg-white dark:bg-coolgray-100 border border-neutral-300 dark:border-coolgray-400 rounded shadow-lg max-h-60 overflow-auto scrollbar">
 
-        <template x-if="filteredOptions.length === 0">
+        <template x-if="(filteredOptions || []).length === 0">
             <div class="px-3 py-2 text-sm text-neutral-500 dark:text-neutral-400">
                 No options found
             </div>
         </template>
 
-        <template x-for="option in filteredOptions" :key="option.value">
+        <template x-for="option in (filteredOptions || [])" :key="option.value">
             <div @click="selectOption(option.value)"
                 class="px-3 py-2 cursor-pointer hover:bg-neutral-100 dark:hover:bg-coolgray-200"
                 :class="{ 'bg-neutral-50 dark:bg-coolgray-300': selected == option.value }">
diff --git a/tests/Feature/TrustHostsMiddlewareTest.php b/tests/Feature/TrustHostsMiddlewareTest.php
index f875a235e..b745259fe 100644
--- a/tests/Feature/TrustHostsMiddlewareTest.php
+++ b/tests/Feature/TrustHostsMiddlewareTest.php
@@ -227,3 +227,84 @@
     // Should only contain APP_URL pattern, not any FQDN
     expect($hosts2)->not->toBeEmpty();
 });
+
+it('skips host validation for terminal auth routes', function () {
+    // These routes should be accessible with any Host header (for internal container communication)
+    $response = $this->postJson('/terminal/auth', [], [
+        'Host' => 'coolify:8080',  // Internal Docker host
+    ]);
+
+    // Should not get 400 Bad Host (might get 401 Unauthorized instead)
+    expect($response->status())->not->toBe(400);
+});
+
+it('skips host validation for terminal auth ips route', function () {
+    // These routes should be accessible with any Host header (for internal container communication)
+    $response = $this->postJson('/terminal/auth/ips', [], [
+        'Host' => 'soketi:6002',  // Another internal Docker host
+    ]);
+
+    // Should not get 400 Bad Host (might get 401 Unauthorized instead)
+    expect($response->status())->not->toBe(400);
+});
+
+it('still enforces host validation for non-terminal routes', function () {
+    InstanceSettings::updateOrCreate(
+        ['id' => 0],
+        ['fqdn' => 'https://coolify.example.com']
+    );
+
+    // Regular routes should still validate Host header
+    $response = $this->get('/', [
+        'Host' => 'evil.com',
+    ]);
+
+    // Should get 400 Bad Host for untrusted host
+    expect($response->status())->toBe(400);
+});
+
+it('skips host validation for API routes', function () {
+    // All API routes use token-based auth (Sanctum), not host validation
+    // They should be accessible from any host (mobile apps, CLI tools, scripts)
+
+    // Test health check endpoint
+    $response = $this->get('/api/health', [
+        'Host' => 'internal-lb.local',
+    ]);
+    expect($response->status())->not->toBe(400);
+
+    // Test v1 health check
+    $response = $this->get('/api/v1/health', [
+        'Host' => '10.0.0.5',
+    ]);
+    expect($response->status())->not->toBe(400);
+
+    // Test feedback endpoint
+    $response = $this->post('/api/feedback', [], [
+        'Host' => 'mobile-app.local',
+    ]);
+    expect($response->status())->not->toBe(400);
+});
+
+it('skips host validation for webhook endpoints', function () {
+    // All webhook routes are under /webhooks/* prefix (see RouteServiceProvider)
+    // and use cryptographic signature validation instead of host validation
+
+    // Test GitHub webhook
+    $response = $this->post('/webhooks/source/github/events', [], [
+        'Host' => 'github-webhook-proxy.local',
+    ]);
+    expect($response->status())->not->toBe(400);
+
+    // Test GitLab webhook
+    $response = $this->post('/webhooks/source/gitlab/events/manual', [], [
+        'Host' => 'gitlab.example.com',
+    ]);
+    expect($response->status())->not->toBe(400);
+
+    // Test Stripe webhook
+    $response = $this->post('/webhooks/payments/stripe/events', [], [
+        'Host' => 'stripe-webhook-forwarder.local',
+    ]);
+    expect($response->status())->not->toBe(400);
+});

From e1fe58639756cf7b232458eddd6978e4ed0031f5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 20 Oct 2025 12:59:57 +0200
Subject: [PATCH 2/3] Changes auto-committed by Conductor

---
 app/Http/Middleware/TrustHosts.php            | 19 +++++++++++++++++++
 .../views/components/forms/datalist.blade.php |  4 ++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/app/Http/Middleware/TrustHosts.php b/app/Http/Middleware/TrustHosts.php
index 080b18acc..f0b9d67f2 100644
--- a/app/Http/Middleware/TrustHosts.php
+++ b/app/Http/Middleware/TrustHosts.php
@@ -30,6 +30,12 @@ public function handle(Request $request, $next)
             return $next($request);
         }
 
+        // Skip host validation if no FQDN is configured (initial setup)
+        $fqdnHost = Cache::get('instance_settings_fqdn_host');
+        if ($fqdnHost === '' || $fqdnHost === null) {
+            return $next($request);
+        }
+
         // For all other routes, use parent's host validation
         return parent::handle($request, $next);
     }
@@ -69,6 +75,19 @@ public function hosts(): array
             $trustedHosts[] = $fqdnHost;
         }
 
+        // Trust the APP_URL host itself (not just subdomains)
+        $appUrl = config('app.url');
+        if ($appUrl) {
+            try {
+                $appUrlHost = parse_url($appUrl, PHP_URL_HOST);
+                if ($appUrlHost && ! in_array($appUrlHost, $trustedHosts, true)) {
+                    $trustedHosts[] = $appUrlHost;
+                }
+            } catch (\Exception $e) {
+                // Ignore parse errors
+            }
+        }
+
         // Trust all subdomains of APP_URL as fallback
         $trustedHosts[] = $this->allSubdomainsOfApplicationUrl();
 
diff --git a/resources/views/components/forms/datalist.blade.php b/resources/views/components/forms/datalist.blade.php
index 05f6ca946..84eda9147 100644
--- a/resources/views/components/forms/datalist.blade.php
+++ b/resources/views/components/forms/datalist.blade.php
@@ -139,7 +139,7 @@ class="absolute z-50 w-full mt-1 bg-white dark:bg-coolgray-100 border border-neu
         </div>
     </template>
 
-    <template x-for="option in (filteredOptions || [])" :key="option.value">
+    <template x-for="(option, index) in (filteredOptions || [])" :key="option?.value || index">
         <div @click="toggleOption(option.value)"
             class="px-3 py-2 cursor-pointer hover:bg-neutral-100 dark:hover:bg-coolgray-200 flex items-center gap-3"
             :class="{ 'bg-neutral-50 dark:bg-coolgray-300': isSelected(option.value) }">
@@ -268,7 +268,7 @@ class="absolute z-50 w-full mt-1 bg-white dark:bg-coolgray-100 border border-neu
             </div>
         </template>
 
-        <template x-for="option in (filteredOptions || [])" :key="option.value">
+        <template x-for="(option, index) in (filteredOptions || [])" :key="option?.value || index">
             <div @click="selectOption(option.value)"
                 class="px-3 py-2 cursor-pointer hover:bg-neutral-100 dark:hover:bg-coolgray-200"
                 :class="{ 'bg-neutral-50 dark:bg-coolgray-300': selected == option.value }">

From 62d99b0b8bab570a79e5740f459bb94eb3238203 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 20 Oct 2025 13:55:28 +0200
Subject: [PATCH 3/3] Changes auto-committed by Conductor

---
 resources/views/components/forms/datalist.blade.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/resources/views/components/forms/datalist.blade.php b/resources/views/components/forms/datalist.blade.php
index 84eda9147..5bb12aa8d 100644
--- a/resources/views/components/forms/datalist.blade.php
+++ b/resources/views/components/forms/datalist.blade.php
@@ -106,7 +106,7 @@ class="flex flex-wrap gap-1.5 max-h-40 overflow-y-auto scrollbar py-1.5 w-full t
                 wire:dirty.class="dark:border-l-warning border-l-coollabs border-l-4">
 
                 {{-- Selected Tags Inside Input --}}
-                <template x-for="value in (selected || [])" :key="value">
+                <template x-for="value in selected" :key="value">
                     <button
                         type="button"
                         @click.stop="removeOption(value, $event)"
@@ -133,13 +133,13 @@ class="flex-1 min-w-[120px] text-sm border-0 outline-none bg-transparent p-0 foc
 <div x-show="open && !{{ $disabled ? 'true' : 'false' }}" x-transition
     class="absolute z-50 w-full mt-1 bg-white dark:bg-coolgray-100 border border-neutral-300 dark:border-coolgray-400 rounded shadow-lg max-h-60 overflow-auto scrollbar">
 
-    <template x-if="(filteredOptions || []).length === 0">
+    <template x-if="filteredOptions.length === 0">
         <div class="px-3 py-2 text-sm text-neutral-500 dark:text-neutral-400">
             No options found
         </div>
     </template>
 
-    <template x-for="(option, index) in (filteredOptions || [])" :key="option?.value || index">
+    <template x-for="option in filteredOptions" :key="option.value">
         <div @click="toggleOption(option.value)"
             class="px-3 py-2 cursor-pointer hover:bg-neutral-100 dark:hover:bg-coolgray-200 flex items-center gap-3"
             :class="{ 'bg-neutral-50 dark:bg-coolgray-300': isSelected(option.value) }">
@@ -262,13 +262,13 @@ class="shrink-0 text-neutral-400 px-2 {{ $disabled ? 'cursor-not-allowed' : 'cur
     <div x-show="open && !{{ $disabled ? 'true' : 'false' }}" x-transition
         class="absolute z-50 w-full mt-1 bg-white dark:bg-coolgray-100 border border-neutral-300 dark:border-coolgray-400 rounded shadow-lg max-h-60 overflow-auto scrollbar">
 
-        <template x-if="(filteredOptions || []).length === 0">
+        <template x-if="filteredOptions.length === 0">
             <div class="px-3 py-2 text-sm text-neutral-500 dark:text-neutral-400">
                 No options found
             </div>
         </template>
 
-        <template x-for="(option, index) in (filteredOptions || [])" :key="option?.value || index">
+        <template x-for="option in filteredOptions" :key="option.value">
             <div @click="selectOption(option.value)"
                 class="px-3 py-2 cursor-pointer hover:bg-neutral-100 dark:hover:bg-coolgray-200"
                 :class="{ 'bg-neutral-50 dark:bg-coolgray-300': selected == option.value }">