Skip to content

Commit

Permalink
Fix allowing all origins (#4)
Browse files Browse the repository at this point in the history
* 🐛 fix allowing all origins, add tests to verify

* 0.2.1
  • Loading branch information
domeq authored Nov 23, 2020
1 parent 542dd1b commit 3019dbd
Show file tree
Hide file tree
Showing 4 changed files with 97 additions and 8 deletions.
17 changes: 11 additions & 6 deletions index.js
Original file line number Diff line number Diff line change
@@ -1,19 +1,24 @@
const R = require('ramda');

const getAllowedOrigin = (origin, allowedOrigins) => {
if (R.includes('*', allowedOrigins)) {
return origin;
}

return R.find((allowedOrigin) => allowedOrigin === origin, allowedOrigins);
};

const getCorsHeaders = (
{ allowedOrigins, exposeHeaders, maxAge, credentials, allowMethods, allowHeaders } = {},
event
) => {
const headers = {};

if (allowedOrigins) {
const isOriginAllowed = R.find(
(allowedOrigin) => allowedOrigin === R.path(['headers', 'origin'], event),
allowedOrigins
);
const origin = getAllowedOrigin(R.path(['headers', 'origin'], event), allowedOrigins);

if (isOriginAllowed) {
headers['access-control-allow-origin'] = isOriginAllowed;
if (origin) {
headers['access-control-allow-origin'] = origin;
}
}

Expand Down
84 changes: 84 additions & 0 deletions index.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,49 @@ test('Adds CORS headers on success from allowed origin', async () => {
});
});

test('Adds CORS headers on success when all origins allowed', async () => {
const handler = middy(async () => ({
statusCode: 200,
body: JSON.stringify({ foo: 'bar' }),
headers: {
someHeader: 'someValue',
},
}));

handler.use(
middleware({
allowedOrigins: ['*'],
exposeHeaders: ['x-my-header'],
maxAge: 2628000, // 1 month
credentials: true,
allowMethods: ['GET', 'POST'],
allowHeaders: ['Content-Type', 'Accept', 'X-Forwarded-For'],
})
);

const response = await handler(
{
headers: {
origin: 'https://www.tek.no',
},
},
{}
);
expect(response).toEqual({
statusCode: 200,
headers: {
'access-control-allow-credentials': true,
'access-control-allow-headers': 'Content-Type, Accept, X-Forwarded-For',
'access-control-allow-methods': 'GET, POST',
'access-control-allow-origin': 'https://www.tek.no',
'access-control-expose-headers': 'x-my-header',
'access-control-max-age': 2628000,
someHeader: 'someValue',
},
body: JSON.stringify({ foo: 'bar' }),
});
});

test('Adds CORS headers on error from disallowed origin', async () => {
const handler = middy(async () => {
throw new createError.InternalServerError('whoops');
Expand Down Expand Up @@ -189,6 +232,47 @@ test('Adds CORS headers on error from allowed origin', async () => {
);
});

test('Adds CORS headers on error when all origins allowed', async () => {
const handler = middy(async () => {
throw new createError.InternalServerError('whoops');
});

handler.use(
middleware({
allowedOrigins: ['*'],
exposeHeaders: ['x-my-header'],
maxAge: 2628000, // 1 month
credentials: true,
allowMethods: ['GET', 'POST'],
allowHeaders: ['Content-Type', 'Accept', 'X-Forwarded-For'],
})
);

await expect(
handler(
{
headers: {
origin: 'https://www.tek.no',
},
},
{}
)
).rejects.toEqual(
expect.objectContaining({
response: {
headers: {
'access-control-allow-credentials': true,
'access-control-allow-headers': 'Content-Type, Accept, X-Forwarded-For',
'access-control-allow-methods': 'GET, POST',
'access-control-allow-origin': 'https://www.tek.no',
'access-control-expose-headers': 'x-my-header',
'access-control-max-age': 2628000,
},
},
})
);
});

test('Keep headers already present in the response on error from disallowed origin', async () => {
const handler = middy(async () => {
throw new createError.InternalServerError('whoops');
Expand Down
2 changes: 1 addition & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@schibsted/middy-cors",
"version": "0.2.0",
"version": "0.2.1",
"description": "Middy middleware for adding CORS headers to success response and errors",
"main": "index.js",
"engines": {
Expand Down

0 comments on commit 3019dbd

Please sign in to comment.