implementation #156

arafato · Feb 17, 2018 · 11f3e9e · 11f3e9e
1 parent 771062e
commit 11f3e9e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 22 deletions.
diff --git a/lib/actions/blob/PreflightBlobRequest.js b/lib/actions/blob/PreflightBlobRequest.js
@@ -9,12 +9,12 @@ class PreflightBlobRequest {
     }
 
     process(req, res) {
-        const response = new AzuriteResponse();
-        response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_ORIGIN, req.httpProps[N.ORIGIN]);
+        const response = new AzuriteResponse(); // Add Access-Control-Expose-Headers
+        response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_ORIGIN, req.httpProps[N.ORIGIN]); // Refactor into response
         response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_METHODS, req.httpProps[N.ACCESS_CONTROL_REQUEST_METHOD]);
         response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_HEADERS, req.httpProps[N.ACCESS_CONTROL_ALLOW_HEADERS]);
         response.addHttpProperty(N.ACCESS_CONTROL_MAX_AGE, req.cors.maxAgeInSeconds);
-        response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_CREDENTIALS, true);
+        response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_CREDENTIALS, true); // Refactor into response
         res.status(200).send();
     }
 }

diff --git a/lib/middleware/blob/cors.js b/lib/middleware/blob/cors.js
@@ -13,47 +13,48 @@ module.exports = (req, res, next) => {
         const request = req.azuriteRequest;
         sm.getBlobServiceProperties()
             .then((response) => {
-                const allowedMethods = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST
-                    ? request.httpProps[N.ACCESS_CONTROL_REQUEST_METHOD].toLowerCase()
-                    : req.method.toLowerCase();
+                if (response.payload.StorageServiceProperties && request.httpProps[N.ORIGIN]) {
+                    const allowedMethods = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST
+                        ? request.httpProps[N.ACCESS_CONTROL_REQUEST_METHOD].toLowerCase()
+                        : req.method.toLowerCase();
 
-                const allowedHeaders = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST
-                    ? request.httpProps[N.ACCESS_CONTROL_REQUEST_HEADERS].toLowerCase().split(',')
-                        .reduce((acc, e) => {
-                            const key = Object.keys(e)[0];
-                            acc[key] = e[key];
-                            return acc;
-                        }, {})
-                    : req.headers;
+                    const allowedHeaders = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST
+                        ? request.httpProps[N.ACCESS_CONTROL_REQUEST_HEADERS].toLowerCase().split(',')
+                            .reduce((acc, e) => {
+                                const key = Object.keys(e)[0];
+                                acc[key] = e[key];
+                                return acc;
+                            }, {})
+                        : req.headers;
 
-                if (response.payload.StorageServiceProperties && request.httpProps[N.ORIGIN]) {
+                    let valid = null;
                     for (const rule of response.payload.StorageServiceProperties.Cors) {
-                        if (!rule.AllowedOrigins.includes(request.httpProps[N.ORIGIN])) {
-                            throw new AError(ErrorCodes.CorsForbidden);
+                        valid = false;
+                        if (!rule.AllowedOrigins.includes(request.httpProps[N.ORIGIN]) && !rule.AllowedOrigins.includes('*')) {
+                            continue;
                         }
 
                         if (!rule.AllowedMethods.includes(allowedMethods)) {
-                            throw new AError(ErrorCodes.CorsForbidden);
+                            continue;
                         }
 
                         rule.AllowedHeaders.split(',')
                             .forEach((e) => {
-                                let valid = false;
                                 Object.keys(allowedHeaders).forEach((requestHeader) => {
                                     if (e.charAt(e.length) === '*') {
                                         valid = requestHeader.includes(e.slice(0, -1));
                                     } else {
                                         valid = (e === requestHeader);
                                     }
                                 });
-                                if (!valid) {
-                                    throw new AError(ErrorCodes.CorsForbidden);
-                                }
                             });
 
                         // Rule is valid, caching max-age-in-seconds value for preflight request action handler 
                         req.azuriteRequest.cors.maxAgeInSeconds = response.payload.StorageServiceProperties.Cors.MaxAgeInSeconds;
                     }
+                    if (!valid) {
+                        throw new AError(ErrorCodes.CorsForbidden);
+                    }
                 }
                 next();
             });