From 76fa0649f232b50fb163f272b5015fb0fa56283c Mon Sep 17 00:00:00 2001 From: Kayne Ruse Date: Tue, 26 Jul 2022 13:39:04 +0100 Subject: [PATCH] Tweak cors handling --- .envdev | 2 ++ configure-script.js | 2 ++ package-lock.json | 4 ++-- package.json | 2 +- server/news/index.js | 25 +++++++++++++++++-------- server/server.js | 2 -- 6 files changed, 24 insertions(+), 13 deletions(-) diff --git a/.envdev b/.envdev index 6d5a388..e7fa7f4 100644 --- a/.envdev +++ b/.envdev @@ -1,5 +1,7 @@ WEB_PORT=3100 +WEB_ORIGIN=http://localhost:3001 + DB_HOSTNAME=database DB_DATABASE=news DB_USERNAME=news diff --git a/configure-script.js b/configure-script.js index e708a87..ab08b74 100644 --- a/configure-script.js +++ b/configure-script.js @@ -30,6 +30,7 @@ const question = (prompt, def = null) => { //project configuration const appName = await question('App Name', 'news'); const appWebAddress = await question('Web Addr', `${appName}.example.com`); + const appWebOrigin = await question('Web Origin', `https://example.com`); //TODO: clean these up properly const appPort = await question('App Port', '3100'); const appDBUser = await question('DB User', appName); @@ -59,6 +60,7 @@ services: - "traefik.http.services.${appName}service.loadbalancer.server.port=${appPort}" environment: - WEB_PORT=${appPort} + - WEB_ORIGIN=${appWebOrigin} - DB_HOSTNAME=database - DB_DATABASE=${appName} - DB_USERNAME=${appDBUser} diff --git a/package-lock.json b/package-lock.json index 53ce7fc..c036c02 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "news-server", - "version": "1.4.5", + "version": "1.5.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "news-server", - "version": "1.4.5", + "version": "1.5.0", "license": "ISC", "dependencies": { "cors": "^2.8.5", diff --git a/package.json b/package.json index 69fb801..833a69a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "news-server", - "version": "1.4.5", + "version": "1.5.0", "description": "An API centric news server. Uses Sequelize and mariaDB by default.", "main": "server/server.js", "scripts": { diff --git a/server/news/index.js b/server/news/index.js index 44c1575..2ceed03 100644 --- a/server/news/index.js +++ b/server/news/index.js @@ -1,5 +1,6 @@ const express = require('express'); const router = express.Router(); +const cors = require('cors'); //route-by-route, because some routes are available without authentication //middleware const authToken = require('../utilities/token-auth'); @@ -11,17 +12,25 @@ const edit = require('./edit'); const remove = require('./remove'); //basic route management (all query possibilities) -router.get('/', query(false, false)); -router.get('/:id(\\d+)', query(false, false)); -router.get('/archive', query(true, false)); -router.get('/archive/:id(\\d+)', query(true, false)); -router.get('/metadata', query(false, true)); -router.get('/metadata/:id(\\d+)', query(false, true)); -router.get('/archive/metadata', query(true, true)); -router.get('/archive/metadata/:id(\\d+)', query(true, true)); +router.get('/', cors(), query(false, false)); +router.get('/:id(\\d+)', cors(), query(false, false)); +router.get('/archive', cors(), query(true, false)); +router.get('/archive/:id(\\d+)', cors(), query(true, false)); +router.get('/metadata', cors(), query(false, true)); +router.get('/metadata/:id(\\d+)', cors(), query(false, true)); +router.get('/archive/metadata', cors(), query(true, true)); +router.get('/archive/metadata/:id(\\d+)', cors(), query(true, true)); //use middleware to authenticate the rest of the routes +router.use(cors({ + credentials: true, + origin: [`${process.env.WEB_ORIGIN}`], //because auth-server + allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization', 'Set-Cookie'], + exposedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization', 'Set-Cookie'], +})); + router.use(authToken); + router.use((req, res, next) => { if (req.user.mod) { next(); diff --git a/server/server.js b/server/server.js index 462ffa9..8b483a3 100644 --- a/server/server.js +++ b/server/server.js @@ -5,11 +5,9 @@ require('dotenv').config(); const express = require('express'); const app = express(); const server = require('http').Server(app); -const cors = require('cors'); //config app.use(express.json()); -app.use(cors()); //database connection const database = require('./database');