// Allow-list of Microsoft Graph and Entra (Azure AD) login hosts across the // public, US Government, DoD, and China sovereign clouds. User-supplied Graph // connection URLs are validated against this list so the server cannot be // pointed at arbitrary internal endpoints (SSRF). export const ALLOWED_GRAPH_HOSTS = new Set([ 'graph.microsoft.com', 'graph.microsoft.us', 'dod-graph.microsoft.us', 'microsoftgraph.chinacloudapi.cn' ]); export const ALLOWED_AUTHORITY_HOSTS = new Set([ 'login.microsoftonline.com', 'login.microsoftonline.us', 'login.partner.microsoftonline.cn', 'login.chinacloudapi.cn' ]); function hostnameOf(url) { try { const parsed = new URL(String(url)); if (parsed.protocol !== 'https:') return null; return parsed.hostname.toLowerCase(); } catch { return null; } } export function isAllowedGraphHost(url) { const host = hostnameOf(url); return Boolean(host && ALLOWED_GRAPH_HOSTS.has(host)); } export function isAllowedAuthorityHost(url) { const host = hostnameOf(url); return Boolean(host && ALLOWED_AUTHORITY_HOSTS.has(host)); }