From 178ce76b2e459efddf0eecdd781aa58fc11c9f78 Mon Sep 17 00:00:00 2001
From: Stephen Chudleigh <stephen@smartlogic.io>
Date: Thu, 9 Jan 2025 16:50:08 -0800
Subject: [PATCH] add idp_host to trusted allowed_hostnames

---
 app/models/login_gov.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/models/login_gov.rb b/app/models/login_gov.rb
index 58c94dee..e800cb66 100644
--- a/app/models/login_gov.rb
+++ b/app/models/login_gov.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'uri'
 
 # LoginGov manages authentication with the external login.gov service
@@ -105,11 +106,12 @@ def get_public_key(jwks_uri)
   end
 
   def validate_jwks_uri(uri)
-    allowed_hostnames = ["trusted-domain.com"]
+    idp_host = URI.parse(config[:idp_host]).host
+    allowed_hostnames = [idp_host]
     uri_host = URI.parse(uri).host
-    unless allowed_hostnames.include?(uri_host)
-      raise LoginApiError.new("Invalid jwks_uri", code: 400, body: "The jwks_uri is not allowed.")
-    end
+    return if allowed_hostnames.include?(uri_host)
+
+    raise LoginApiError.new("Invalid jwks_uri", code: 400, body: "The jwks_uri is not allowed.")
   end
 
   def read_private_key