feat: implement domain isolation system with API response sanitizer and interceptor scripts

extra/api-interceptor.js

@@ -0,0 +1,97 @@
+(function() {
+  // Get the current domain
+  const currentDomain = window.location.hostname;
+  console.log("[Domain Isolation] Current domain:", currentDomain);
+  
+  // Check if RUNTIME_CONFIG is available
+  if (!window.RUNTIME_CONFIG) {
+    console.warn("[Domain Isolation] Runtime config not found, creating empty one.");
+    window.RUNTIME_CONFIG = {};
+  }
+  
+  // Store the domain info globally
+  window.LEARNHOUSE_DOMAIN = currentDomain;
+  
+  // 1. Intercept fetch API
+  const originalFetch = window.fetch;
+  window.fetch = function(url, options) {
+    if (typeof url === "string") {
+      try {
+        // Handle both absolute and relative URLs
+        const urlObj = new URL(url, window.location.origin);
+        const targetDomain = urlObj.hostname;
+        
+        // If URL has a different domain than current domain, rewrite it
+        if (targetDomain !== currentDomain) {
+          // Allow external APIs like umami
+          if (targetDomain.includes('api-gateway.umami.dev')) {
+            return originalFetch(url, options);
+          }
+          
+          console.warn("[Domain Isolation] Redirecting request to current domain:", url);
+          const newUrl = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+          console.log("[Domain Isolation] New URL:", newUrl);
+          return originalFetch(newUrl, options);
+        }
+      } catch (e) {
+        console.error("[Domain Isolation] Error processing URL:", e);
+      }
+    }
+    return originalFetch(url, options);
+  };
+  
+  // 2. Intercept XMLHttpRequest
+  const originalXHROpen = XMLHttpRequest.prototype.open;
+  XMLHttpRequest.prototype.open = function(method, url, ...rest) {
+    if (typeof url === "string") {
+      try {
+        const urlObj = new URL(url, window.location.origin);
+        const targetDomain = urlObj.hostname;
+        
+        if (targetDomain !== currentDomain) {
+          // Allow external APIs
+          if (targetDomain.includes('api-gateway.umami.dev')) {
+            return originalXHROpen.call(this, method, url, ...rest);
+          }
+          
+          console.warn("[Domain Isolation] Redirecting XHR to current domain:", url);
+          const newUrl = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+          console.log("[Domain Isolation] New XHR URL:", newUrl);
+          return originalXHROpen.call(this, method, newUrl, ...rest);
+        }
+      } catch (e) {
+        console.error("[Domain Isolation] Error processing XHR URL:", e);
+      }
+    }
+    return originalXHROpen.call(this, method, url, ...rest);
+  };
+  
+  // 3. Fix Next.js chunk loading issues
+  const originalReactDOMCreateScriptHook = Object.getOwnPropertyDescriptor(HTMLScriptElement.prototype, 'src');
+  if (originalReactDOMCreateScriptHook) {
+    Object.defineProperty(HTMLScriptElement.prototype, 'src', {
+      get: originalReactDOMCreateScriptHook.get,
+      set: function(url) {
+        if (typeof url === 'string') {
+          try {
+            const urlObj = new URL(url, window.location.origin);
+            const targetDomain = urlObj.hostname;
+            
+            if (targetDomain !== currentDomain && url.includes('/next/static/chunks/')) {
+              const newUrl = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+              console.warn("[Domain Isolation] Redirecting script src to current domain:", url);
+              console.log("[Domain Isolation] New script src:", newUrl);
+              return originalReactDOMCreateScriptHook.set.call(this, newUrl);
+            }
+          } catch (e) {
+            console.error("[Domain Isolation] Error processing script URL:", e);
+          }
+        }
+        return originalReactDOMCreateScriptHook.set.call(this, url);
+      },
+      configurable: true
+    });
+  }
+  
+  console.log("[Domain Isolation] Complete domain isolation system installed");
+})();

extra/api-response-sanitizer.js

@@ -0,0 +1,93 @@
+/**
+ * API Response Sanitizer
+ * 
+ * This script specifically handles API responses to ensure they don't contain
+ * URLs pointing to the wrong domain.
+ */
+(function() {
+  console.log('[Domain Isolation] Installing API response sanitizer...');
+  
+  // Save reference to the original fetch
+  const originalFetch = window.fetch;
+
+  /**
+   * Recursively sanitize objects to replace URLs from wrong domains
+   */
+  function sanitizeObject(obj, currentDomain) {
+    if (!obj || typeof obj !== 'object') return obj;
+    
+    // Handle arrays
+    if (Array.isArray(obj)) {
+      return obj.map(item => sanitizeObject(item, currentDomain));
+    }
+    
+    // Handle objects
+    const result = {};
+    
+    for (const [key, value] of Object.entries(obj)) {
+      // Check if this is a URL string value
+      if (typeof value === 'string' && 
+          (value.startsWith('http://') || value.startsWith('https://'))) {
+        try {
+          const url = new URL(value);
+          if (url.hostname !== currentDomain && 
+              !url.hostname.includes('api-gateway.umami.dev')) {
+            console.log(`[Sanitizer] Found cross-domain URL: ${value}`);
+            const newValue = value.replace(url.hostname, currentDomain);
+            result[key] = newValue;
+            continue;
+          }
+        } catch (e) {
+          // Not a valid URL, keep original value
+        }
+      }
+      
+      // Process nested objects/arrays
+      if (value && typeof value === 'object') {
+        result[key] = sanitizeObject(value, currentDomain);
+      } else {
+        result[key] = value;
+      }
+    }
+    
+    return result;
+  }
+  
+  // Override fetch to sanitize responses
+  window.fetch = async function(...args) {
+    const currentDomain = window.location.hostname;
+    
+    // Call original fetch
+    const response = await originalFetch.apply(this, args);
+    
+    // Clone the response so we can read it multiple times
+    const clonedResponse = response.clone();
+    
+    // Only process JSON responses from API endpoints
+    const contentType = response.headers.get('content-type');
+    if (contentType && contentType.includes('application/json')) {
+      
+      try {
+        // Read and parse the response
+        const originalData = await clonedResponse.json();
+        
+        // Sanitize the data
+        const sanitizedData = sanitizeObject(originalData, currentDomain);
+        
+        // Create a new response with sanitized data
+        return new Response(JSON.stringify(sanitizedData), {
+          status: response.status,
+          statusText: response.statusText,
+          headers: response.headers
+        });
+      } catch (e) {
+        console.error('[Domain Isolation] Error sanitizing response:', e);
+        return response; // Return original response on error
+      }
+    }
+    
+    return response;
+  };
+  
+  console.log('[Domain Isolation] API response sanitizer installed');
+})();

extra/domain-isolation-loader.js

@@ -0,0 +1,82 @@
+// Domain Isolation Loader
+// This script loads before any other scripts to ensure all requests stay within the current domain
+
+(function() {
+  console.log('[Domain Isolation] Initializing early domain isolation...');
+  
+  // Override createElement to patch script elements before they load
+  const originalCreateElement = document.createElement.bind(document);
+  document.createElement = function(tagName) {
+    const element = originalCreateElement(tagName);
+    
+    if (tagName.toLowerCase() === 'script') {
+      const originalSetAttribute = element.setAttribute.bind(element);
+      element.setAttribute = function(name, value) {
+        if (name === 'src' && typeof value === 'string') {
+          try {
+            const currentDomain = window.location.hostname;
+            const urlObj = new URL(value, window.location.origin);
+            const targetDomain = urlObj.hostname;
+            
+            if (targetDomain !== currentDomain) {
+              console.warn('[Domain Isolation] Pre-load intercepted cross-domain script:', value);
+              value = value.replace(/https?:\/\/[^\/]+/, window.location.origin);
+              console.log('[Domain Isolation] Changed to:', value);
+            }
+          } catch (e) {
+            console.error('[Domain Isolation] Error processing script URL:', e);
+          }
+        }
+        return originalSetAttribute(name, value);
+      };
+    }
+    
+    return element;
+  };
+  
+  // Store original URL manipulation methods
+  window.__domainIsolationOriginals = {
+    fetch: window.fetch,
+    open: XMLHttpRequest.prototype.open
+  };
+  
+  // Simple early fetch override
+  window.fetch = function(url, options) {
+    if (typeof url === 'string') {
+      try {
+        const currentDomain = window.location.hostname;
+        const urlObj = new URL(url, window.location.origin);
+        const targetDomain = urlObj.hostname;
+        
+        if (targetDomain !== currentDomain) {
+          console.warn('[Domain Isolation] Early loader redirecting fetch:', url);
+          url = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+        }
+      } catch (e) {
+        console.error('[Domain Isolation] Early loader error:', e);
+      }
+    }
+    return window.__domainIsolationOriginals.fetch.apply(this, arguments);
+  };
+  
+  // Simple early XHR override
+  XMLHttpRequest.prototype.open = function(method, url, ...args) {
+    if (typeof url === 'string') {
+      try {
+        const currentDomain = window.location.hostname;
+        const urlObj = new URL(url, window.location.origin);
+        const targetDomain = urlObj.hostname;
+        
+        if (targetDomain !== currentDomain) {
+          console.warn('[Domain Isolation] Early loader redirecting XHR:', url);
+          url = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+        }
+      } catch (e) {
+        console.error('[Domain Isolation] Early loader error:', e);
+      }
+    }
+    return window.__domainIsolationOriginals.open.apply(this, [method, url, ...args]);
+  };
+  
+  console.log('[Domain Isolation] Early domain isolation initialized');
+})();

extra/runtime-config-start.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+echo "Generating runtime configuration..."
+mkdir -p /app/web/public
+
+# Generate runtime config
+cat > /app/web/public/runtime-config.js << EOF
+window.RUNTIME_CONFIG = {
+  LEARNHOUSE_API_URL: "${NEXT_PUBLIC_LEARNHOUSE_API_URL:-}",
+  LEARNHOUSE_BACKEND_URL: "${NEXT_PUBLIC_LEARNHOUSE_BACKEND_URL:-}",
+  LEARNHOUSE_DOMAIN: "${NEXT_PUBLIC_LEARNHOUSE_DOMAIN:-}",
+  LEARNHOUSE_DEFAULT_ORG: "${NEXT_PUBLIC_LEARNHOUSE_DEFAULT_ORG:-default}",
+  LEARNHOUSE_MULTI_ORG: "${NEXT_PUBLIC_LEARNHOUSE_MULTI_ORG:-false}",
+  LEARNHOUSE_TOP_DOMAIN: "${NEXT_PUBLIC_LEARNHOUSE_TOP_DOMAIN:-}"
+}
+EOF
+
+# Copy the pre-created isolation scripts to the public folder
+cp /app/extra/api-interceptor.js /app/web/public/
+cp /app/extra/api-response-sanitizer.js /app/web/public/
+cp /app/extra/domain-isolation-loader.js /app/web/public/
+
+echo "Runtime configuration generated successfully"
+
+echo "Enhanced patching of NextAuth cookies and domains..."
+find /app/web/.next -type f -name "*.js" -exec sed -i "s/domain:[^,}]*,/domain: undefined,/g" {} \;
+find /app/web/.next -type f -name "*.js" -exec sed -i "s/domain: *process.env.LEARNHOUSE_COOKIE_DOMAIN/domain: undefined/g" {} \;
+find /app/web/.next -type f -name "*.js" -exec sed -i "s/\.domain\s*=\s*[^;]*;/\.domain = undefined;/g" {} \;
+echo "Cookie domain patches complete."
+
+echo "Starting application..."
+sh /app/start.sh