PM-23733 - Refactor guards and extend env to be able to determine self hosted and prod

2026-02-18 10:23:52 +00:00 · 2025-07-15 20:37:31 -04:00
parent a4bf96ed8d
commit 876761c300
6 changed files with 49 additions and 9 deletions
--- a/apps/web/src/app/oss-routing.module.ts
+++ b/apps/web/src/app/oss-routing.module.ts
@@ -14,6 +14,7 @@ import { ChangePasswordComponent } from "@bitwarden/angular/auth/password-manage
 import { SetInitialPasswordComponent } from "@bitwarden/angular/auth/password-management/set-initial-password/set-initial-password.component";
 import { canAccessFeature } from "@bitwarden/angular/platform/guard/feature-flag.guard";
 import { preventProdAccessGuard } from "@bitwarden/angular/platform/guard/prevent-prod-access.guard";
+import { preventSelfHostedAccessGuard } from "@bitwarden/angular/platform/guard/prevent-self-hosted-access.guard";
 import {
  PasswordHintComponent,
  RegistrationFinishComponent,
@@ -179,7 +180,7 @@ const routes: Routes = [
    children: [
      {
        path: "feature-flags",
-        canMatch: [preventProdAccessGuard],
+        canMatch: [preventProdAccessGuard, preventSelfHostedAccessGuard],
        data: {
          pageTitle: {
            key: "featureFlags",
@@ -718,7 +719,7 @@ const routes: Routes = [
          {
            path: "developer-tools",
            data: { titleId: "developerTools" } satisfies RouteDataProperties,
-            canMatch: [preventProdAccessGuard],
+            canMatch: [preventProdAccessGuard, preventSelfHostedAccessGuard],
            loadComponent: () =>
              import("./platform/settings/developer-tools").then((m) => m.DeveloperToolsComponent),
            children: [
--- a/libs/angular/src/platform/guard/prevent-prod-access.guard.ts
+++ b/libs/angular/src/platform/guard/prevent-prod-access.guard.ts
@@ -3,9 +3,7 @@ import { CanMatchFn } from "@angular/router";
 import { firstValueFrom } from "rxjs";

 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
-import { PRODUCTION_REGIONS } from "@bitwarden/common/platform/services/default-environment.service";

-// TODO: consider moving logic to service and also not showing when self hosted.
 /**
 * Guard to prevent matching routes in production environments.
 * Allows for developer tooling that should only be accessible in non-production environments.
@@ -15,11 +13,7 @@ export const preventProdAccessGuard: CanMatchFn = async (): Promise<boolean> =>

  const environment = await firstValueFrom(environmentService.environment$);

-  const region = environment.getRegion();
-
-  const prodRegions = PRODUCTION_REGIONS.map((regionConfig) => regionConfig.key);
-
-  if (prodRegions.includes(region)) {
+  if (environment.isProduction()) {
    return false;
  }

--- a/libs/angular/src/platform/guard/prevent-self-hosted-access.guard.spec.ts
+++ b/libs/angular/src/platform/guard/prevent-self-hosted-access.guard.spec.ts
@@ -0,0 +1 @@
+// TODO: test
--- a/libs/angular/src/platform/guard/prevent-self-hosted-access.guard.ts
+++ b/libs/angular/src/platform/guard/prevent-self-hosted-access.guard.ts
@@ -0,0 +1,22 @@
+import { inject } from "@angular/core";
+import { CanMatchFn } from "@angular/router";
+import { firstValueFrom } from "rxjs";
+
+import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
+
+// TODO: should we have a devTools guard instead of prod env and self hosted env checks?
+/**
+ * Guard to prevent matching routes in self-hosted environments.
+ * Allows for developer tooling that should only be accessible in non-self-hosted environments.
+ */
+export const preventSelfHostedAccessGuard: CanMatchFn = async (): Promise<boolean> => {
+  const environmentService = inject(EnvironmentService);
+
+  const environment = await firstValueFrom(environmentService.environment$);
+
+  if (environment.isSelfHosted()) {
+    return false;
+  }
+
+  return true;
+};
--- a/libs/common/src/platform/abstractions/environment.service.ts
+++ b/libs/common/src/platform/abstractions/environment.service.ts
@@ -60,6 +60,20 @@ export interface Environment {
   */
  isCloud(): boolean;

+  /**
+   * Identify if the region is a self-hosted environment.
+   *
+   * @returns true if the environment is self-hosted, false otherwise.
+   */
+  isSelfHosted(): boolean;
+
+  /**
+   * Identify if the environment is a production environment.
+   *
+   * @returns true if the environment is production, false otherwise.
+   */
+  isProduction(): boolean;
+
  getApiUrl(): string;
  getEventsUrl(): string;
  getIconsUrl(): string;
--- a/libs/common/src/platform/services/default-environment.service.ts
+++ b/libs/common/src/platform/services/default-environment.service.ts
@@ -410,6 +410,14 @@ abstract class UrlEnvironment implements Environment {
    return this.region !== Region.SelfHosted;
  }

+  isSelfHosted(): boolean {
+    return this.region === Region.SelfHosted;
+  }
+
+  isProduction(): boolean {
+    return PRODUCTION_REGIONS.some((regionConfig) => regionConfig.key === this.region);
+  }
+
  /**
   * Helper for getting an URL.
   *