Merge pull request #9145 from hashicorp/login-middleware-auth-hosts

Add app.vagrantup.com to allowed auth hosts

plugins/commands/login/middleware/add_authentication.rb

@@ -6,8 +6,11 @@ require_relative "../client"
 module VagrantPlugins
   module LoginCommand
     class AddAuthentication
-      VCLOUD = "vagrantcloud.com".freeze
+      ALLOWED_AUTHENTICATION_HOSTS = %w[
-      ATLAS  = "atlas.hashicorp.com".freeze
+        app.vagrantup.com
+        atlas.hashicorp.com
+        vagrantcloud.com
+      ].freeze
 
       def initialize(app, env)
         @app = app
@@ -25,12 +28,8 @@ module VagrantPlugins
             replace = u.host == server_uri.host
 
             if !replace
-              # We need this in here for the transition we made from
+              if ALLOWED_AUTHENTICATION_HOSTS.include?(u.host) &&
-              # Vagrant Cloud to Atlas. This preserves access tokens
+                  ALLOWED_AUTHENTICATION_HOSTS.include?(server_uri.host)
-              # appending to both without leaking access tokens to
-              # unsavory URLs.
-              if (u.host == VCLOUD && server_uri.host == ATLAS) ||
-                  (u.host == ATLAS && server_uri.host == VCLOUD)
                 replace = true
               end
             end

test/unit/plugins/commands/login/middleware/add_authentication_test.rb

@@ -71,13 +71,15 @@ describe VagrantPlugins::LoginCommand::AddAuthentication do
 
       original = [
         "http://google.com/box.box",
+        "http://app.vagrantup.com/foo.box",
         "http://vagrantcloud.com/foo.box",
         "http://vagrantcloud.com/bar.box?arg=true",
       ]
 
       expected = original.dup
       expected[1] = "#{original[1]}?access_token=#{token}"
-      expected[2] = "#{original[2]}&access_token=#{token}"
+      expected[2] = "#{original[2]}?access_token=#{token}"
+      expected[3] = "#{original[3]}&access_token=#{token}"
 
       env[:box_urls] = original.dup
       subject.call(env)