Proxy protection (#18427)

* Add proxy protection to detect and warn about untrusted domains

- Add WAREHOUSE_ALLOWED_DOMAINS configuration variable to specify trusted domains
- Create JavaScript proxy detection that checks if current domain is allowed
- Display full-page red warning overlay for untrusted domains
- Show persistent banner after user dismisses the overlay
- Add tests for allowed domains configuration parsing

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add domain verification with request nonces to proxy protection

Enhance proxy protection by hashing allowed domains with per-request nonces
to prevent simple proxy rewriting of the allowlist. This makes it more
difficult for malicious proxies to bypass domain verification by tampering
with the allowed domains list.

Security improvement includes:
- Generate cryptographically secure nonce for each request
- Hash allowed domains using HMAC with nonce as key
- Verify domains client-side using Web Crypto API
- Prevent plaintext domain list exposure in HTML

Note: This is not a bulletproof security solution but raises the bar for
attackers by requiring active request interception and computation rather
than simple string replacement.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Make hostname in proxy warning modal more visible

- Switch from innerHTML to createElement for better style control
- Increase domain font size to 72px with bold weight (900)
- Use light red color (#ff6b6b) for better contrast
- Reduce vertical margin to 10px for tighter layout
- Apply monospace font for clear domain display

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* lint/translations

* Fix tests for proxy protection configuration

- Add warehouse.allowed_domains to expected settings in config tests
- Add .request module to expected includes list
- Ensures all tests pass with new proxy protection feature

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Simplify proxy protection to always warn on unmatched domains

- Remove subdomain matching logic - only exact domain matches are allowed
- Always show warning unless domain explicitly matches configured list
- Default to showing warning if data elements are missing or invalid
- Remove special case for empty domain list

This ensures maximum security by always warning users unless they are
on an explicitly allowed domain.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* include localhost/127.0.0.1 in dev/environment

* Move proxy protection initialization to index.js

- Remove docReady import and call from proxy-protection.js
- Export checkProxyProtection function for use in index.js
- Import and initialize with docReady in index.js
- Follows same pattern as other utility modules like WebAuthn

This centralizes all docReady calls in index.js and makes the module
structure more consistent.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: ewdurbin

dev/environment

@@ -94,3 +94,5 @@ HELPDESK_NOTIFICATION_BACKEND="warehouse.helpdesk.services.ConsoleAdminNotificat
 
 # Example of Domain Status configuration
 # DOMAIN_STATUS_BACKEND="warehouse.accounts.services.DomainrDomainStatusService client_id=some_client_id"
+
+WAREHOUSE_ALLOWED_DOMAINS=127.0.0.1,localhost

tests/unit/test_config.py

@@ -333,6 +333,7 @@ def __init__(self):
         "gcloud.service_account_info": {},
         "warehouse.forklift.legacy.MAX_FILESIZE_MIB": 100,
         "warehouse.forklift.legacy.MAX_PROJECT_SIZE_GIB": 10,
+        "warehouse.allowed_domains": [],
     }
     if environment == config.Environment.development:
         expected_settings.update(
@@ -394,6 +395,7 @@ def __init__(self):
         ]
         + [
             pretend.call(".logging"),
+            pretend.call(".request"),
             pretend.call("pyramid_jinja2"),
             pretend.call(".filters"),
             pretend.call("pyramid_mailer"),
@@ -670,3 +672,34 @@ def test_root_factory_access_control_list():
             ),
         ),
     ]
+
+
+class TestWarehouseAllowedDomains:
+    def test_allowed_domains_parsing(self):
+        """Test that allowed domains are parsed correctly."""
+
+        # Test the lambda function used in maybe_set
+        def parser(s):
+            return [d.strip() for d in s.split(",") if d.strip()]
+
+        # Test normal case
+        assert parser("pypi.org, test.pypi.org, example.com") == [
+            "pypi.org",
+            "test.pypi.org",
+            "example.com",
+        ]
+
+        # Test with empty strings
+        assert parser("pypi.org,,, test.pypi.org, ") == ["pypi.org", "test.pypi.org"]
+
+        # Test with only commas
+        assert parser(",,,") == []
+
+        # Test single domain
+        assert parser("pypi.org") == ["pypi.org"]
+
+        # Test with extra spaces
+        assert parser("  pypi.org  ,   test.pypi.org  ") == [
+            "pypi.org",
+            "test.pypi.org",
+        ]

tests/unit/test_request.py

@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: Apache-2.0
+
+import pretend
+
+from warehouse import request
+
+
+class TestCreateNonce:
+    def test_generates_unique_nonces(self):
+        """Test that each request gets a unique nonce."""
+        req1 = pretend.stub()
+        req2 = pretend.stub()
+
+        nonce1 = request._create_nonce(req1)
+        nonce2 = request._create_nonce(req2)
+
+        # Nonces should be strings
+        assert isinstance(nonce1, str)
+        assert isinstance(nonce2, str)
+
+        # Nonces should have reasonable length (base64url encoded 32 bytes)
+        assert len(nonce1) >= 32
+        assert len(nonce2) >= 32
+
+        # Nonces should be unique
+        assert nonce1 != nonce2
+
+    def test_nonce_is_url_safe(self):
+        """Test that nonces are URL-safe."""
+        req = pretend.stub()
+        nonce = request._create_nonce(req)
+
+        # Should only contain URL-safe characters
+        # base64url uses A-Z, a-z, 0-9, -, _
+        import re
+
+        assert re.match(r"^[A-Za-z0-9_-]+$", nonce)
+
+
+class TestCreateHashedDomains:
+    def test_hashes_domains_with_nonce(self):
+        """Test that domains are hashed using the nonce."""
+        req = pretend.stub(
+            nonce="test-nonce-123",
+            registry=pretend.stub(
+                settings={"warehouse.allowed_domains": ["pypi.org", "test.pypi.org"]}
+            ),
+        )
+
+        hashed = request._create_hashed_domains(req)
+
+        # Should return comma-separated list
+        assert "," in hashed
+        hashes = hashed.split(",")
+        assert len(hashes) == 2
+
+        # Each hash should be 64 chars (sha256 hex)
+        for h in hashes:
+            assert len(h) == 64
+            assert all(c in "0123456789abcdef" for c in h)
+
+        # Hashes should be different for different domains
+        assert hashes[0] != hashes[1]
+
+    def test_different_nonce_produces_different_hashes(self):
+        """Test that different nonces produce different hashes for same domain."""
+        req1 = pretend.stub(
+            nonce="nonce-1",
+            registry=pretend.stub(settings={"warehouse.allowed_domains": ["pypi.org"]}),
+        )
+        req2 = pretend.stub(
+            nonce="nonce-2",
+            registry=pretend.stub(settings={"warehouse.allowed_domains": ["pypi.org"]}),
+        )
+
+        hashed1 = request._create_hashed_domains(req1)
+        hashed2 = request._create_hashed_domains(req2)
+
+        assert hashed1 != hashed2
+
+    def test_empty_domains_returns_empty_string(self):
+        """Test that empty domain list returns empty string."""
+        req = pretend.stub(
+            nonce="test-nonce",
+            registry=pretend.stub(settings={"warehouse.allowed_domains": []}),
+        )
+
+        hashed = request._create_hashed_domains(req)
+        assert hashed == ""
+
+    def test_no_domains_setting_returns_empty_string(self):
+        """Test that missing domains setting returns empty string."""
+        req = pretend.stub(nonce="test-nonce", registry=pretend.stub(settings={}))
+
+        hashed = request._create_hashed_domains(req)
+        assert hashed == ""

warehouse/config.py

@@ -341,6 +341,13 @@ def configure(settings=None):
     maybe_set(settings, "warehouse.ip_salt", "WAREHOUSE_IP_SALT")
     maybe_set(settings, "warehouse.num_proxies", "WAREHOUSE_NUM_PROXIES", int)
     maybe_set(settings, "warehouse.domain", "WAREHOUSE_DOMAIN")
+    maybe_set(
+        settings,
+        "warehouse.allowed_domains",
+        "WAREHOUSE_ALLOWED_DOMAINS",
+        lambda s: [d.strip() for d in s.split(",") if d.strip()],
+        default=[],
+    )
     maybe_set(settings, "forklift.domain", "FORKLIFT_DOMAIN")
     maybe_set(settings, "auth.domain", "AUTH_DOMAIN")
     maybe_set(
@@ -636,6 +643,9 @@ def configure(settings=None):
     # Register our logging support
     config.include(".logging")
 
+    # Register request utilities (nonce, etc.)
+    config.include(".request")
+
     # We'll want to use Jinja2 as our template system.
     config.include("pyramid_jinja2")