fix(core): remove trailing slash in http scope url, closes #5208 (#6974)

* fix(core): remove trailing slash in http scope url, closes #5208

* fix tests

* one more tests fix

* clippy

.changes/config-scope-url.md

@@ -0,0 +1,5 @@
+---
+'tauri-utils': 'patch'
+---
+
+Fix parsing `allowlist > http > scope` urls that added a trailing slash which broke matching the incoming requests url.

core/tauri-config-schema/schema.json

@@ -2431,7 +2431,7 @@
       "additionalProperties": false
     },
     "HttpAllowlistScope": {
-      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://**\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
+      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://*\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
       "type": "array",
       "items": {
         "type": "string",

core/tauri-utils/src/config.rs

@@ -1892,11 +1892,13 @@ impl Allowlist for DialogAllowlistConfig {
 /// The scoped URL is matched against the request URL using a glob pattern.
 ///
 /// Examples:
-/// - "https://**": allows all HTTPS urls
+/// - "https://*": allows all HTTPS urls
 /// - "https://*.github.com/tauri-apps/tauri": allows any subdomain of "github.com" with the "tauri-apps/api" path
 /// - "https://myapi.service.com/users/*": allows access to any URLs that begins with "https://myapi.service.com/users/"
 #[allow(rustdoc::bare_urls)]
 #[derive(Debug, Default, PartialEq, Eq, Clone, Deserialize, Serialize)]
+// TODO: in v2, parse into a String or a custom type that perserves the
+// glob string because Url type will add a trailing slash
 #[cfg_attr(feature = "schema", derive(JsonSchema))]
 pub struct HttpAllowlistScope(pub Vec<Url>);
 

core/tauri/src/scope/http.rs

@@ -19,9 +19,18 @@ impl Scope {
       allowed_urls: scope
         .0
         .iter()
-        .map(|url| {
-          glob::Pattern::new(url.as_str())
-            .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`"))
+        .flat_map(|url| {
+          [
+            glob::Pattern::new(url.as_str())
+              .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`")),
+            glob::Pattern::new(
+              url
+                .as_str()
+                .strip_suffix('/')
+                .unwrap_or_else(|| url.as_str()),
+            )
+            .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`")),
+          ]
         })
         .collect(),
     }
@@ -81,7 +90,7 @@ mod tests {
     let scope = super::Scope::for_http_api(&HttpAllowlistScope(vec!["http://*".parse().unwrap()]));
 
     assert!(scope.is_allowed(&"http://something.else".parse().unwrap()));
-    assert!(!scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
+    assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
     assert!(!scope.is_allowed(&"https://something.else".parse().unwrap()));
 
     let scope = super::Scope::for_http_api(&HttpAllowlistScope(vec!["http://**".parse().unwrap()]));

tooling/cli/schema.json

@@ -2431,7 +2431,7 @@
       "additionalProperties": false
     },
     "HttpAllowlistScope": {
-      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://**\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
+      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://*\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
       "type": "array",
       "items": {
         "type": "string",