From 11f3e9e8783a3d525c75c7704dfe9c68da8ecd2b Mon Sep 17 00:00:00 2001 From: arafato Date: Sat, 17 Feb 2018 21:18:46 +0100 Subject: [PATCH] implementation #156 --- lib/actions/blob/PreflightBlobRequest.js | 6 ++-- lib/middleware/blob/cors.js | 39 ++++++++++++------------ 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/lib/actions/blob/PreflightBlobRequest.js b/lib/actions/blob/PreflightBlobRequest.js index 771db51..768034a 100644 --- a/lib/actions/blob/PreflightBlobRequest.js +++ b/lib/actions/blob/PreflightBlobRequest.js @@ -9,12 +9,12 @@ class PreflightBlobRequest { } process(req, res) { - const response = new AzuriteResponse(); - response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_ORIGIN, req.httpProps[N.ORIGIN]); + const response = new AzuriteResponse(); // Add Access-Control-Expose-Headers + response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_ORIGIN, req.httpProps[N.ORIGIN]); // Refactor into response response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_METHODS, req.httpProps[N.ACCESS_CONTROL_REQUEST_METHOD]); response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_HEADERS, req.httpProps[N.ACCESS_CONTROL_ALLOW_HEADERS]); response.addHttpProperty(N.ACCESS_CONTROL_MAX_AGE, req.cors.maxAgeInSeconds); - response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_CREDENTIALS, true); + response.addHttpProperty(N.ACCESS_CONTROL_ALLOW_CREDENTIALS, true); // Refactor into response res.status(200).send(); } } diff --git a/lib/middleware/blob/cors.js b/lib/middleware/blob/cors.js index 97566ec..c8e8f4e 100644 --- a/lib/middleware/blob/cors.js +++ b/lib/middleware/blob/cors.js @@ -13,32 +13,33 @@ module.exports = (req, res, next) => { const request = req.azuriteRequest; sm.getBlobServiceProperties() .then((response) => { - const allowedMethods = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST - ? request.httpProps[N.ACCESS_CONTROL_REQUEST_METHOD].toLowerCase() - : req.method.toLowerCase(); + if (response.payload.StorageServiceProperties && request.httpProps[N.ORIGIN]) { + const allowedMethods = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST + ? request.httpProps[N.ACCESS_CONTROL_REQUEST_METHOD].toLowerCase() + : req.method.toLowerCase(); - const allowedHeaders = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST - ? request.httpProps[N.ACCESS_CONTROL_REQUEST_HEADERS].toLowerCase().split(',') - .reduce((acc, e) => { - const key = Object.keys(e)[0]; - acc[key] = e[key]; - return acc; - }, {}) - : req.headers; + const allowedHeaders = req.azuriteOperation === Operations.Account.PREFLIGHT_BLOB_REQUEST + ? request.httpProps[N.ACCESS_CONTROL_REQUEST_HEADERS].toLowerCase().split(',') + .reduce((acc, e) => { + const key = Object.keys(e)[0]; + acc[key] = e[key]; + return acc; + }, {}) + : req.headers; - if (response.payload.StorageServiceProperties && request.httpProps[N.ORIGIN]) { + let valid = null; for (const rule of response.payload.StorageServiceProperties.Cors) { - if (!rule.AllowedOrigins.includes(request.httpProps[N.ORIGIN])) { - throw new AError(ErrorCodes.CorsForbidden); + valid = false; + if (!rule.AllowedOrigins.includes(request.httpProps[N.ORIGIN]) && !rule.AllowedOrigins.includes('*')) { + continue; } if (!rule.AllowedMethods.includes(allowedMethods)) { - throw new AError(ErrorCodes.CorsForbidden); + continue; } rule.AllowedHeaders.split(',') .forEach((e) => { - let valid = false; Object.keys(allowedHeaders).forEach((requestHeader) => { if (e.charAt(e.length) === '*') { valid = requestHeader.includes(e.slice(0, -1)); @@ -46,14 +47,14 @@ module.exports = (req, res, next) => { valid = (e === requestHeader); } }); - if (!valid) { - throw new AError(ErrorCodes.CorsForbidden); - } }); // Rule is valid, caching max-age-in-seconds value for preflight request action handler req.azuriteRequest.cors.maxAgeInSeconds = response.payload.StorageServiceProperties.Cors.MaxAgeInSeconds; } + if (!valid) { + throw new AError(ErrorCodes.CorsForbidden); + } } next(); });