From 5c02435ee478b893747d3f9e41062aae12d7ff10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karol=20S=C3=B3jko?= Date: Wed, 20 Mar 2024 15:59:43 +0100 Subject: [PATCH] feat: add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted --- packages/api-gateway/bin/server.ts | 10 ++++++++++ packages/files/bin/server.ts | 10 ++++++++++ packages/home-server/src/Server/HomeServer.ts | 10 ++++++++++ 3 files changed, 30 insertions(+) diff --git a/packages/api-gateway/bin/server.ts b/packages/api-gateway/bin/server.ts index a374eece7..34a067ff4 100644 --- a/packages/api-gateway/bin/server.ts +++ b/packages/api-gateway/bin/server.ts @@ -91,6 +91,16 @@ void container.load().then((container) => { credentials: true, exposedHeaders: ['x-captcha-required'], origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => { + const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) + ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true' + : false + + if (!originStrictModeEnabled) { + callback(null, [requestOrigin as string]) + + return + } + const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null' const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://') const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://') diff --git a/packages/files/bin/server.ts b/packages/files/bin/server.ts index eda20a951..276976610 100644 --- a/packages/files/bin/server.ts +++ b/packages/files/bin/server.ts @@ -79,6 +79,16 @@ void container.load().then((container) => { 'Access-Control-Allow-Origin', ], origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => { + const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) + ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true' + : false + + if (!originStrictModeEnabled) { + callback(null, [requestOrigin as string]) + + return + } + const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null' const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://') const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://') diff --git a/packages/home-server/src/Server/HomeServer.ts b/packages/home-server/src/Server/HomeServer.ts index 312e6b8c9..e01d54f50 100644 --- a/packages/home-server/src/Server/HomeServer.ts +++ b/packages/home-server/src/Server/HomeServer.ts @@ -137,6 +137,16 @@ export class HomeServer implements HomeServerInterface { credentials: true, exposedHeaders: ['Content-Range', 'Accept-Ranges', 'x-captcha-required'], origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => { + const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) + ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true' + : false + + if (!originStrictModeEnabled) { + callback(null, [requestOrigin as string]) + + return + } + const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null' const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://') const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')