From c5266e98b8e89c286b1ca0b0c50f961e274af3b6 Mon Sep 17 00:00:00 2001
From: Justin Campbell <justin@justincampbell.me>
Date: Tue, 7 Nov 2017 10:32:33 -0500
Subject: [PATCH 1/2] Change allowed auth hosts to list

---
 .../login/middleware/add_authentication.rb         | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/plugins/commands/login/middleware/add_authentication.rb b/plugins/commands/login/middleware/add_authentication.rb
index c82bbf697..a784a3ac6 100644
--- a/plugins/commands/login/middleware/add_authentication.rb
+++ b/plugins/commands/login/middleware/add_authentication.rb
@@ -6,8 +6,10 @@ require_relative "../client"
 module VagrantPlugins
   module LoginCommand
     class AddAuthentication
-      VCLOUD = "vagrantcloud.com".freeze
-      ATLAS  = "atlas.hashicorp.com".freeze
+      ALLOWED_AUTHENTICATION_HOSTS = %w[
+        atlas.hashicorp.com
+        vagrantcloud.com
+      ].freeze
 
       def initialize(app, env)
         @app = app
@@ -25,12 +27,8 @@ module VagrantPlugins
             replace = u.host == server_uri.host
 
             if !replace
-              # We need this in here for the transition we made from
-              # Vagrant Cloud to Atlas. This preserves access tokens
-              # appending to both without leaking access tokens to
-              # unsavory URLs.
-              if (u.host == VCLOUD && server_uri.host == ATLAS) ||
-                  (u.host == ATLAS && server_uri.host == VCLOUD)
+              if ALLOWED_AUTHENTICATION_HOSTS.include?(u.host) &&
+                  ALLOWED_AUTHENTICATION_HOSTS.include?(server_uri.host)
                 replace = true
               end
             end

From 40d8dc4582e6ec1a95a79acd7751531223e2a883 Mon Sep 17 00:00:00 2001
From: Justin Campbell <justin@justincampbell.me>
Date: Tue, 7 Nov 2017 10:35:16 -0500
Subject: [PATCH 2/2] Add app.vagrantup.com to allowed auth hosts

This should allow users setting VAGRANT_SERVER_URL to app.vagrantup.com to authenticate to private boxes.
---
 plugins/commands/login/middleware/add_authentication.rb       | 1 +
 .../commands/login/middleware/add_authentication_test.rb      | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/plugins/commands/login/middleware/add_authentication.rb b/plugins/commands/login/middleware/add_authentication.rb
index a784a3ac6..3056a88f9 100644
--- a/plugins/commands/login/middleware/add_authentication.rb
+++ b/plugins/commands/login/middleware/add_authentication.rb
@@ -7,6 +7,7 @@ module VagrantPlugins
   module LoginCommand
     class AddAuthentication
       ALLOWED_AUTHENTICATION_HOSTS = %w[
+        app.vagrantup.com
         atlas.hashicorp.com
         vagrantcloud.com
       ].freeze
diff --git a/test/unit/plugins/commands/login/middleware/add_authentication_test.rb b/test/unit/plugins/commands/login/middleware/add_authentication_test.rb
index ee4b2ab7d..8f1d1c6d9 100644
--- a/test/unit/plugins/commands/login/middleware/add_authentication_test.rb
+++ b/test/unit/plugins/commands/login/middleware/add_authentication_test.rb
@@ -71,13 +71,15 @@ describe VagrantPlugins::LoginCommand::AddAuthentication do
 
       original = [
         "http://google.com/box.box",
+        "http://app.vagrantup.com/foo.box",
         "http://vagrantcloud.com/foo.box",
         "http://vagrantcloud.com/bar.box?arg=true",
       ]
 
       expected = original.dup
       expected[1] = "#{original[1]}?access_token=#{token}"
-      expected[2] = "#{original[2]}&access_token=#{token}"
+      expected[2] = "#{original[2]}?access_token=#{token}"
+      expected[3] = "#{original[3]}&access_token=#{token}"
 
       env[:box_urls] = original.dup
       subject.call(env)