beenull/standardnotes-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted

Browse source
This commit is contained in:
Karol Sójko 2024-03-20 15:59:43 +01:00
parent 0a1e555b13
commit 5c02435ee4
No known key found for this signature in database
GPG key ID: B06B39F95BCFA624
3 changed files with 30 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
packages/api-gateway/bin/server.ts
View file

@ -91,6 +91,16 @@ void container.load().then((container) => {
credentials: true, credentials: true,
exposedHeaders: ['x-captcha-required'], exposedHeaders: ['x-captcha-required'],
origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => { origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
: false
if (!originStrictModeEnabled) {
callback(null, [requestOrigin as string])
return
}
const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null' const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://') const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://') const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')

10
packages/files/bin/server.ts
View file

@ -79,6 +79,16 @@ void container.load().then((container) => {
'Access-Control-Allow-Origin', 'Access-Control-Allow-Origin',
], ],
origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => { origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
: false
if (!originStrictModeEnabled) {
callback(null, [requestOrigin as string])
return
}
const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null' const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://') const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://') const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')

10
packages/home-server/src/Server/HomeServer.ts
View file

@ -137,6 +137,16 @@ export class HomeServer implements HomeServerInterface {
credentials: true, credentials: true,
exposedHeaders: ['Content-Range', 'Accept-Ranges', 'x-captcha-required'], exposedHeaders: ['Content-Range', 'Accept-Ranges', 'x-captcha-required'],
origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => { origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
: false
if (!originStrictModeEnabled) {
callback(null, [requestOrigin as string])
return
}
const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null' const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://') const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://') const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')