Add custom middleware for to present an Angular-tailored message

Fix angular#32028

Author: aparzi

packages/angular/build/src/builders/dev-server/tests/options/allowed-hosts_spec.ts

@@ -27,12 +27,13 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT
         ...BASE_OPTIONS,
       });
 
-      const { result, response } = await executeOnceAndGet(harness, '/', {
+      const { result, response, content } = await executeOnceAndGet(harness, '/', {
         request: { headers: FETCH_HEADERS },
       });
 
       expect(result?.success).toBeTrue();
       expect(response?.statusCode).toBe(403);
+      expect(content).toContain('angular.json');
     });
 
     it('does not allow an invalid host when option is an empty array', async () => {
@@ -41,12 +42,13 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT
         allowedHosts: [],
       });
 
-      const { result, response } = await executeOnceAndGet(harness, '/', {
+      const { result, response, content } = await executeOnceAndGet(harness, '/', {
         request: { headers: FETCH_HEADERS },
       });
 
       expect(result?.success).toBeTrue();
       expect(response?.statusCode).toBe(403);
+      expect(content).toContain('angular.json');
     });
 
     it('allows a host when specified in the option', async () => {

packages/angular/build/src/builders/dev-server/vite/server.ts

@@ -226,6 +226,8 @@ export async function setupServer(
         ssrMode,
         resetComponentUpdates: () => templateUpdates.clear(),
         projectRoot: serverOptions.projectRoot,
+        allowedHosts: serverOptions.allowedHosts,
+        devHost: serverOptions.host,
       }),
       createRemoveIdPrefixPlugin(externalMetadata.explicitBrowser),
       await createAngularSsrTransformPlugin(serverOptions.workspaceRoot),

packages/angular/build/src/tools/vite/plugins/setup-middlewares-plugin.ts

@@ -55,6 +55,57 @@ interface AngularSetupMiddlewaresPluginOptions {
   ssrMode: ServerSsrMode;
   resetComponentUpdates: () => void;
   projectRoot: string;
+  allowedHosts: true | string[];
+  devHost: string;
+}
+
+function extractHostname(hostHeader: string | undefined): string {
+  if (!hostHeader) {
+    return '';
+  }
+
+  // Remove port if present (e.g., example.com:4200)
+  const idx = hostHeader.lastIndexOf(':');
+  if (idx > -1 && hostHeader.indexOf(']') === -1) {
+    // Skip IPv6 addresses that include ':' within brackets
+    return hostHeader.slice(0, idx).toLowerCase();
+  }
+
+  return hostHeader.toLowerCase();
+}
+
+function html403(hostname: string): string {
+  return `<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Blocked request</title>
+    <style>
+      body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif;
+      line-height:1.4;margin:2rem;color:#1f2937}
+      code{background:#f3f4f6;padding:.15rem .35rem;border-radius:.25rem}
+      .box{max-width:760px;margin:0 auto}
+      h1{font-size:1.5rem;margin-bottom:.75rem}
+      p{margin:.5rem 0}
+      .muted{color:#6b7280}
+      pre{background:#f9fafb;border:1px solid #e5e7eb;padding:.75rem;border-radius:.5rem;overflow:auto}
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>Blocked request. This host ("${hostname}") is not allowed.</h1>
+      <p>To allow this host, add it to <code>allowedHosts</code> under the <code>serve</code> target in <code>angular.json</code>.</p>
+      <pre><code>{
+  "serve": {
+    "options": {
+      "allowedHosts": ["${hostname}"]
+    }
+  }
+}</code></pre>
+    </main>
+  </body>
+  </html>`;
 }
 
 async function createEncapsulateStyle(): Promise<
@@ -109,6 +160,88 @@ export function createAngularSetupMiddlewaresPlugin(
       // before the built-in HTML middleware
       // eslint-disable-next-line @typescript-eslint/no-misused-promises
       return async () => {
+        type MiddlewareStackEntry = {
+          route?: string;
+          handle?: (Connect.NextHandleFunction & { name?: string }) | undefined;
+        };
+
+        // Vite/Connect do not expose a typed stack, cast once to a precise structural type.
+        const mws = server.middlewares as unknown as { stack: MiddlewareStackEntry[] };
+        const middlewareStack = mws.stack;
+
+        // Helper to locate Vite's host validation middleware safely
+        const findHostValidationEntry = (
+          stack: readonly MiddlewareStackEntry[],
+        ): MiddlewareStackEntry | undefined =>
+          stack.find(
+            ({ handle }) =>
+              typeof handle === 'function' &&
+              typeof handle.name === 'string' &&
+              handle.name.startsWith('hostValidationMiddleware'),
+          );
+
+        const entry = findHostValidationEntry(middlewareStack);
+
+        if (entry && typeof entry.handle === 'function') {
+          const originalHandle = entry.handle as Connect.NextHandleFunction;
+
+          entry.handle = function angularHostValidationMiddleware(req, res, next) {
+            const originalWriteHead = res.writeHead.bind(res);
+            const originalEnd = res.end.bind(res);
+            const originalWrite = res.write.bind(res);
+
+            let blocked = false;
+            let capturedStatus: number | undefined;
+
+            // Intercept writeHead: detect block and delay header sending
+            res.writeHead = function (...args: Parameters<typeof res.writeHead>) {
+              const statusCode = args[0];
+              capturedStatus = statusCode;
+              if (typeof statusCode === 'number' && statusCode >= 400) {
+                blocked = true;
+
+                return res;
+              }
+
+              return originalWriteHead.apply(res, args);
+            } as typeof res.writeHead;
+
+            // Intercept write to avoid implicitly sending headers/body when blocked
+            res.write = function (
+              ...args: Parameters<typeof res.write>
+            ): ReturnType<typeof res.write> {
+              if (blocked) {
+                // Swallow writes to prevent Node from implicitly sending headers
+                return true as ReturnType<typeof res.write>;
+              }
+
+              return originalWrite.apply(res, args);
+            } as typeof res.write;
+
+            res.end = function (...args: Parameters<typeof res.end>): ReturnType<typeof res.end> {
+              if (blocked) {
+                const hostname = extractHostname(req.headers.host);
+                const body = html403(hostname);
+                const status = capturedStatus && capturedStatus >= 400 ? capturedStatus : 403;
+
+                // Headers were not sent yet because we intercepted writeHead for blocked case
+                if (!res.headersSent) {
+                  const headers: import('node:http').OutgoingHttpHeaders = {
+                    'Content-Type': 'text/html; charset=utf-8',
+                  };
+                  originalWriteHead(status, headers);
+                }
+
+                return originalEnd(body);
+              }
+
+              return originalEnd.apply(res, args);
+            } as typeof res.end;
+
+            return originalHandle(req, res, next);
+          };
+        }
+
         if (ssrMode === ServerSsrMode.ExternalSsrMiddleware) {
           server.middlewares.use(
             await createAngularSsrExternalMiddleware(server, indexHtmlTransformer),