feat: add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted

2024-03-20 15:59:43 +01:00 · 2024-03-20 15:59:43 +01:00 · 5c02435ee4
commit 5c02435ee4
parent 0a1e555b13
3 changed files with 30 additions and 0 deletions
--- a/packages/api-gateway/bin/server.ts
+++ b/packages/api-gateway/bin/server.ts
@ -91,6 +91,16 @@ void container.load().then((container) => {
        credentials: true,
        exposedHeaders: ['x-captcha-required'],
        origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
+          const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
+            ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
+            : false
+
+          if (!originStrictModeEnabled) {
+            callback(null, [requestOrigin as string])
+
+            return
+          }
+
          const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
          const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
          const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
--- a/packages/files/bin/server.ts
+++ b/packages/files/bin/server.ts
@ -79,6 +79,16 @@ void container.load().then((container) => {
          'Access-Control-Allow-Origin',
        ],
        origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
+          const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
+            ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
+            : false
+
+          if (!originStrictModeEnabled) {
+            callback(null, [requestOrigin as string])
+
+            return
+          }
+
          const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
          const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
          const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
--- a/packages/home-server/src/Server/HomeServer.ts
+++ b/packages/home-server/src/Server/HomeServer.ts
@ -137,6 +137,16 @@ export class HomeServer implements HomeServerInterface {
            credentials: true,
            exposedHeaders: ['Content-Range', 'Accept-Ranges', 'x-captcha-required'],
            origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
+              const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
+                ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
+                : false
+
+              if (!originStrictModeEnabled) {
+                callback(null, [requestOrigin as string])
+
+                return
+              }
+
              const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
              const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
              const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')