From 8cd079ea8ec5f7630cb1a7ba93f82e8e7bda296b Mon Sep 17 00:00:00 2001
From: Alan Friedman <d.alan.friedman@gmail.com>
Date: Sun, 19 May 2019 16:42:30 -0400
Subject: [PATCH] CORS fixes (#72)

* Add SITE_URL env var

* Debug git branch

* Set site URL to "false"

* Bug fix

* Fix CORS allowed methods

* Upgrade kcors

* Fix for API HOST in review apps

* Review app fixes

* Add bin/bash

* Refactor site URL code

* Cleanup API host
---
 .gitignore          |  3 ++-
 app.json            | 10 ++++++++++
 build.sh            | 11 ++++++++++-
 server/.env.sample  |  3 ++-
 server/package.json |  2 +-
 server/src/index.js | 17 +++++++++++++----
 server/yarn.lock    |  2 +-
 7 files changed, 39 insertions(+), 9 deletions(-)

diff --git a/.gitignore b/.gitignore
index 127db87..1eeb4ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .DS_Store
 node_modules
 *.log
-*sublime*
\ No newline at end of file
+*sublime*
+*.rdb
\ No newline at end of file
diff --git a/app.json b/app.json
index 6a63e32..4f554da 100644
--- a/app.json
+++ b/app.json
@@ -9,6 +9,12 @@
   "website": "https://darkwire.io",
   "repository": "https://github.com/darkwire/darkwire.io",
   "env": {
+    "HEROKU_APP_NAME": {
+      "required": true
+    },
+    "HEROKU_PARENT_APP_NAME": {
+      "required": true
+    },
     "MAILGUN_API_KEY": {
       "description": "Mailgun API Key (only required for abuse reporting)",
       "required": false
@@ -38,6 +44,10 @@
       "description": "Example: 443",
       "required": false,
       "value": "443"
+    },
+    "SITE_URL": {
+      "description": "Full URL of site. Example: https://darkwire.io",
+      "required": false
     }
   },
   "image": "heroku/nodejs",
diff --git a/build.sh b/build.sh
index 484d94f..5a4972d 100755
--- a/build.sh
+++ b/build.sh
@@ -1,8 +1,17 @@
+#!/bin/bash
+
+api_host=$API_HOST
+
+if [[ "$HEROKU_APP_NAME" =~ "-pr-" ]]
+then
+  api_host=""
+fi
+
 echo "building client..."
 cd client
 yarn  --production=false
 REACT_APP_COMMIT_SHA=$SOURCE_VERSION \
-REACT_APP_API_HOST=$API_HOST \
+REACT_APP_API_HOST=$api_host \
 REACT_APP_API_PROTOCOL=$API_PROTOCOL \
 REACT_APP_API_PORT=$API_PORT \
 yarn build
diff --git a/server/.env.sample b/server/.env.sample
index dc37d25..0986f8e 100644
--- a/server/.env.sample
+++ b/server/.env.sample
@@ -4,4 +4,5 @@ ABUSE_TO_EMAIL_ADDRESS=abuse@darkwire.io
 ABUSE_FROM_EMAIL_ADDRESS=Darkwire <no-reply@darkwire.io>
 REDIS_URL=redis://localhost:6379
 CLIENT_DIST_DIRECTORY='client/dist/path'
-ROOM_HASH_SECRET='some-uuid'
\ No newline at end of file
+ROOM_HASH_SECRET='some-uuid'
+SITE_URL=https://darkwire.io
\ No newline at end of file
diff --git a/server/package.json b/server/package.json
index dfaef71..11f0360 100644
--- a/server/package.json
+++ b/server/package.json
@@ -16,7 +16,7 @@
     "@babel/runtime": "^7.4.4",
     "bluebird": "^3.5.1",
     "dotenv": "^8.0.0",
-    "kcors": "2",
+    "kcors": "^2.2.2",
     "koa": "^2.3.0",
     "koa-body": "^2.3.0",
     "koa-router": "^7.2.1",
diff --git a/server/src/index.js b/server/src/index.js
index 8e9a80d..c8eeffe 100644
--- a/server/src/index.js
+++ b/server/src/index.js
@@ -30,9 +30,17 @@ const PORT = process.env.PORT || 3001;
 const router = new Router();
 const koaBody = new KoaBody();
 
-app.use(cors({
-  credentials: true,
-}));
+const appName = process.env.HEROKU_APP_NAME;
+const isReviewApp = /-pr-/.test(appName);
+const siteURL = process.env.SITE_URL;
+
+if ((siteURL || env === 'development') && !isReviewApp) {
+  app.use(cors({
+    origin: env === 'development' ? '*' : siteURL,
+    allowMethods: ['GET','HEAD','POST'],
+    credentials: true,
+  }));
+}
 
 router.post('/handshake', koaBody, async (ctx) => {
   const { body } = ctx.request;
@@ -77,7 +85,8 @@ router.post('/abuse/:roomId', koaBody, async (ctx) => {
 
 app.use(router.routes());
 
-const cspDefaultSrc = `'self'${process.env.API_HOST ? ` https://${process.env.API_HOST} wss://${process.env.API_HOST}` : ''}`
+const apiHost = process.env.API_HOST;
+const cspDefaultSrc = `'self'${apiHost ? ` https://${apiHost} wss://${apiHost}` : ''}`
 
 function setStaticFileHeaders(ctx) {
   ctx.set({
diff --git a/server/yarn.lock b/server/yarn.lock
index 9df2872..029a370 100644
--- a/server/yarn.lock
+++ b/server/yarn.lock
@@ -3502,7 +3502,7 @@ jsprim@^1.2.2:
     json-schema "0.2.3"
     verror "1.10.0"
 
-kcors@2:
+kcors@^2.2.2:
   version "2.2.2"
   resolved "https://registry.yarnpkg.com/kcors/-/kcors-2.2.2.tgz#b6250e7a4f0a33c8f477b7fd0dfa11a3f3ca518d"
   integrity sha512-rIqbKa2S0gT0wC/790jsQM6hNpABHBNWQ7+XYS1xJV6zOGxlanW+RtCmlDn6wPZsGpRk371yy8abfBgl2OTavg==