@abtnode/router-provider 1.17.8-beta-20260121-102603-f9d0176f → 1.17.8-beta-20260125-093329-64b43854

package/lib/util.js

@@ -23,10 +23,44 @@ const decideHttpPort = (port) => port || process.env.ABT_NODE_HTTP_PORT || DEFAU
 const decideHttpsPort = (port) => port || process.env.ABT_NODE_HTTPS_PORT || DEFAULT_HTTPS_PORT;
 
 const findCertificate = (certs, domain) => {
-  const results = certs
-    .filter((cert) => [cert.domain, ...(cert.sans || [])].some((d) => checkDomainMatch(d, domain)))
-    .sort((d1) => (d1.domain[0] === '*' ? 1 : -1)); // will first match a.b.com, then *.b.com
-  return results[0];
+  const lowerDomain = domain.toLowerCase();
+
+  // First try exact match (highest priority)
+  // Note: Domain matching should be case-insensitive per DNS standards
+  for (const cert of certs) {
+    const certDomains = [cert.domain, ...(cert.sans || [])].map((d) => d.toLowerCase());
+    if (certDomains.includes(lowerDomain)) {
+      return cert;
+    }
+  }
+
+  // Then try wildcard match
+  // Note: wildcard cert *.example.com should match foo.example.com
+  // but should NOT match example.com itself (per SSL/TLS standards)
+  const domainParts = domain.split('.');
+
+  for (const cert of certs) {
+    const certDomains = [cert.domain, ...(cert.sans || [])];
+
+    for (const certDomain of certDomains) {
+      // Skip wildcard certs that would incorrectly match the base domain
+      // e.g., *.staging.myvibe.so should not match staging.myvibe.so
+      if (certDomain.startsWith('*.')) {
+        const certBaseParts = certDomain.substring(2).split('.');
+        // If domain has same or fewer parts than cert base, it's the base domain or shorter
+        // Wildcard should only match domains with more parts (subdomains)
+        if (domainParts.length <= certBaseParts.length) {
+          continue; // eslint-disable-line no-continue
+        }
+      }
+
+      if (checkDomainMatch(certDomain, domain)) {
+        return cert;
+      }
+    }
+  }
+
+  return undefined;
 };
 
 const trimEndSlash = (str) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.17.8-beta-20260121-102603-f9d0176f",
+  "version": "1.17.8-beta-20260125-093329-64b43854",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -30,14 +30,14 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@abtnode/db-cache": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@abtnode/logger": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@abtnode/router-templates": "1.17.8-beta-20260121-102603-f9d0176f",
-    "@abtnode/util": "1.17.8-beta-20260121-102603-f9d0176f",
+    "@abtnode/constant": "1.17.8-beta-20260125-093329-64b43854",
+    "@abtnode/db-cache": "1.17.8-beta-20260125-093329-64b43854",
+    "@abtnode/logger": "1.17.8-beta-20260125-093329-64b43854",
+    "@abtnode/router-templates": "1.17.8-beta-20260125-093329-64b43854",
+    "@abtnode/util": "1.17.8-beta-20260125-093329-64b43854",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
-    "@ocap/util": "^1.28.5",
+    "@ocap/util": "^1.28.6",
     "axios": "^1.7.9",
     "debug": "^4.4.1",
     "fast-glob": "^3.3.2",
@@ -60,5 +60,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "7ae816f51ed511037e5b7ac0008012ebf4afc987"
+  "gitHead": "241254785bda907be2296228869b4fc9c1679a6b"
 }