ELECTRON-512 (Create API only if the location.origin matches with whitelist or pod URL) (#421)

- Create API only if the location.origin matches with whitelist or pod URL
- Include isNodeEnv for Spectron test cases to pass
- Reset whitelistUrl to support SSO login
- Remove unnecessary return statement

js/enums/api.js

@@ -24,6 +24,7 @@ const cmds = keyMirror({
     setIsInMeeting: null,
     setLocale: null,
     keyPress: null,
+    originCheck: null,
 });
 
 module.exports = {

js/mainApiMgr.js

@@ -18,6 +18,7 @@ const eventEmitter = require('./eventEmitter');
 const { isMac } = require('./utils/misc');
 const { openScreenPickerWindow } = require('./desktopCapturer');
 const { optimizeMemory, setIsInMeeting } = require('./memoryMonitor');
+const originCheck = require('./originCheck');
 
 const apiEnums = require('./enums/api.js');
 const apiCmds = apiEnums.cmds;
@@ -169,6 +170,11 @@ electron.ipcMain.on(apiName, (event, arg) => {
                 windowMgr.handleKeyPress(arg.keyCode);
             }
             break;
+        case apiCmds.originCheck:
+            if (typeof arg.origin === 'string') {
+                originCheck(event.sender, arg.origin);
+            }
+            break;
         default:
     }
 

js/originCheck.js

@@ -0,0 +1,32 @@
+const { isWhitelisted, matchDomains, parseDomain } = require('./utils/whitelistHandler');
+const { getGlobalConfigField } = require('./config');
+const { isDevEnv, isNodeEnv } = require('./utils/misc');
+
+/**
+ * Validate whitelist and location.origin
+ * @param eventSender
+ * @param origin {String} location.origin
+ */
+function originCheck(eventSender, origin) {
+
+    if (isDevEnv || isNodeEnv) {
+        eventSender.send('initialize-api');
+        return;
+    }
+
+    isWhitelisted(origin)
+        .then(() => {
+            eventSender.send('initialize-api', true);
+        })
+        .catch(() => {
+            getGlobalConfigField('url')
+                .then((configUrl) => {
+                    if (matchDomains(parseDomain(origin), parseDomain(configUrl))) {
+                        eventSender.send('initialize-api', true);
+                    }
+                });
+        });
+
+}
+
+module.exports = originCheck;

js/preload/preloadMain.js

@@ -110,7 +110,17 @@ setInterval(() => {
     });
 }, memoryMonitorInterval);
 
-createAPI();
+// Create API only on an allowed origin
+local.ipcRenderer.once('initialize-api', () => {
+    createAPI();
+});
+
+setTimeout(() => {
+    local.ipcRenderer.send(apiName, {
+        cmd: apiCmds.originCheck,
+        origin: location.origin,
+    });
+}, 0);
 
 // creates API exposed from electron.
 // wrapped in a function so we can abort early in function coming from an iframe

js/utils/whitelistHandler.js

@@ -159,6 +159,7 @@ function parseDomain(url) {
 module.exports = {
     isWhitelisted,
     parseDomain,
+    matchDomains,
 
     // items below here are only exported for testing, do NOT use!
     checkWhitelist