beenull/standardnotes-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix: cors issues on clients - fixes #1046 (#1049)

Browse source
This commit is contained in:
Karol Sójko 2024-03-18 09:43:58 +01:00 committed by GitHub
parent 00bfaaa53d
commit 6d7ca1b926
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 104 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
packages/api-gateway/bin/server.ts
View file

@ -83,7 +83,41 @@ void container.load().then((container) => {
type: ['text/plain', 'application/x-www-form-urlencoded', 'application/x-www-form-urlencoded; charset=utf-8'],
}),
)
app.use(cors())
const corsAllowedOrigins = env.get('CORS_ALLOWED_ORIGINS', true)
? env.get('CORS_ALLOWED_ORIGINS', true).split(',')
: []
app.use(
cors({
credentials: true,
exposedHeaders: ['x-captcha-required'],
origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
const requestOriginatesFromSelfHostedAppOnHttpPort = requestOrigin === 'http://localhost'
const requestOriginatesFromSelfHostedAppOnCustomPort = requestOrigin?.match(/http:\/\/localhost:\d+/) !== null
const requestOriginatesFromSelfHostedApp =
requestOriginatesFromSelfHostedAppOnHttpPort || requestOriginatesFromSelfHostedAppOnCustomPort
const requestIsWhitelisted =
corsAllowedOrigins.length === 0 ||
requstOriginIsNotFilled ||
requestOriginatesFromTheDesktopApp ||
requestOriginatesFromClipperForFirefox ||
requestOriginatesFromSelfHostedApp
if (requestIsWhitelisted) {
callback(null, [requestOrigin as string])
} else {
if (corsAllowedOrigins.includes(requestOrigin)) {
callback(null, [requestOrigin])
} else {
callback(new Error('Not allowed by CORS', { cause: 'origin not allowed' }))
}
}
},
}),
)
app.use(
robots({
UserAgent: '*',

38
packages/files/bin/server.ts
View file

@ -65,9 +65,45 @@ void container.load().then((container) => {
app.use(json({ limit: requestPayloadLimit }))
app.use(raw({ limit: requestPayloadLimit, type: 'application/octet-stream' }))
app.use(urlencoded({ extended: true, limit: requestPayloadLimit }))
const corsAllowedOrigins = env.get('CORS_ALLOWED_ORIGINS', true)
? env.get('CORS_ALLOWED_ORIGINS', true).split(',')
: []
app.use(
cors({
exposedHeaders: ['Content-Range', 'Accept-Ranges'],
credentials: true,
exposedHeaders: [
'Content-Range',
'Accept-Ranges',
'Access-Control-Allow-Credentials',
'Access-Control-Allow-Origin',
],
origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
const requestOriginatesFromSelfHostedAppOnHttpPort = requestOrigin === 'http://localhost'
const requestOriginatesFromSelfHostedAppOnCustomPort = requestOrigin?.match(/http:\/\/localhost:\d+/) !== null
const requestOriginatesFromSelfHostedApp =
requestOriginatesFromSelfHostedAppOnHttpPort || requestOriginatesFromSelfHostedAppOnCustomPort
const requestIsWhitelisted =
corsAllowedOrigins.length === 0 ||
requstOriginIsNotFilled ||
requestOriginatesFromTheDesktopApp ||
requestOriginatesFromClipperForFirefox ||
requestOriginatesFromSelfHostedApp
if (requestIsWhitelisted) {
callback(null, [requestOrigin as string])
} else {
if (corsAllowedOrigins.includes(requestOrigin)) {
callback(null, [requestOrigin])
} else {
callback(new Error('Not allowed by CORS', { cause: 'origin not allowed' }))
}
}
},
}),
)
app.use(

33
packages/home-server/src/Server/HomeServer.ts
View file

@ -129,9 +129,40 @@ export class HomeServer implements HomeServerInterface {
],
}),
)
const corsAllowedOrigins = env.get('CORS_ALLOWED_ORIGINS', true)
? env.get('CORS_ALLOWED_ORIGINS', true).split(',')
: []
app.use(
cors({
exposedHeaders: ['Content-Range', 'Accept-Ranges'],
credentials: true,
exposedHeaders: ['Content-Range', 'Accept-Ranges', 'x-captcha-required'],
origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
const requestOriginatesFromSelfHostedAppOnHttpPort = requestOrigin === 'http://localhost'
const requestOriginatesFromSelfHostedAppOnCustomPort =
requestOrigin?.match(/http:\/\/localhost:\d+/) !== null
const requestOriginatesFromSelfHostedApp =
requestOriginatesFromSelfHostedAppOnHttpPort || requestOriginatesFromSelfHostedAppOnCustomPort
const requestIsWhitelisted =
corsAllowedOrigins.length === 0 ||
requstOriginIsNotFilled ||
requestOriginatesFromTheDesktopApp ||
requestOriginatesFromClipperForFirefox ||
requestOriginatesFromSelfHostedApp
if (requestIsWhitelisted) {
callback(null, [requestOrigin as string])
} else {
if (corsAllowedOrigins.includes(requestOrigin)) {
callback(null, [requestOrigin])
} else {
callback(new Error('Not allowed by CORS', { cause: 'origin not allowed' }))
}
}
},
}),
)
app.use(