CORS fixes (#72)

* Add SITE_URL env var

* Debug git branch

* Set site URL to "false"

* Bug fix

* Fix CORS allowed methods

* Upgrade kcors

* Fix for API HOST in review apps

* Review app fixes

* Add bin/bash

* Refactor site URL code

* Cleanup API host

.gitignore

@@ -2,3 +2,4 @@
 node_modules
 *.log
 *sublime*
+*.rdb

app.json

@@ -9,6 +9,12 @@
   "website": "https://darkwire.io",
   "repository": "https://github.com/darkwire/darkwire.io",
   "env": {
+    "HEROKU_APP_NAME": {
+      "required": true
+    },
+    "HEROKU_PARENT_APP_NAME": {
+      "required": true
+    },
     "MAILGUN_API_KEY": {
       "description": "Mailgun API Key (only required for abuse reporting)",
       "required": false
@@ -38,6 +44,10 @@
       "description": "Example: 443",
       "required": false,
       "value": "443"
+    },
+    "SITE_URL": {
+      "description": "Full URL of site. Example: https://darkwire.io",
+      "required": false
     }
   },
   "image": "heroku/nodejs",

build.sh

@@ -1,8 +1,17 @@
+#!/bin/bash
+
+api_host=$API_HOST
+
+if [[ "$HEROKU_APP_NAME" =~ "-pr-" ]]
+then
+  api_host=""
+fi
+
 echo "building client..."
 cd client
 yarn  --production=false
 REACT_APP_COMMIT_SHA=$SOURCE_VERSION \
-REACT_APP_API_HOST=$API_HOST \
+REACT_APP_API_HOST=$api_host \
 REACT_APP_API_PROTOCOL=$API_PROTOCOL \
 REACT_APP_API_PORT=$API_PORT \
 yarn build

server/.env.sample

@@ -5,3 +5,4 @@ ABUSE_FROM_EMAIL_ADDRESS=Darkwire <no-reply@darkwire.io>
 REDIS_URL=redis://localhost:6379
 CLIENT_DIST_DIRECTORY='client/dist/path'
 ROOM_HASH_SECRET='some-uuid'
+SITE_URL=https://darkwire.io

server/package.json

@@ -16,7 +16,7 @@
     "@babel/runtime": "^7.4.4",
     "bluebird": "^3.5.1",
     "dotenv": "^8.0.0",
-    "kcors": "2",
+    "kcors": "^2.2.2",
     "koa": "^2.3.0",
     "koa-body": "^2.3.0",
     "koa-router": "^7.2.1",

server/src/index.js

@@ -30,9 +30,17 @@ const PORT = process.env.PORT || 3001;
 const router = new Router();
 const koaBody = new KoaBody();
 
-app.use(cors({
+const appName = process.env.HEROKU_APP_NAME;
-  credentials: true,
+const isReviewApp = /-pr-/.test(appName);
-}));
+const siteURL = process.env.SITE_URL;
+
+if ((siteURL || env === 'development') && !isReviewApp) {
+  app.use(cors({
+    origin: env === 'development' ? '*' : siteURL,
+    allowMethods: ['GET','HEAD','POST'],
+    credentials: true,
+  }));
+}
 
 router.post('/handshake', koaBody, async (ctx) => {
   const { body } = ctx.request;
@@ -77,7 +85,8 @@ router.post('/abuse/:roomId', koaBody, async (ctx) => {
 
 app.use(router.routes());
 
-const cspDefaultSrc = `'self'${process.env.API_HOST ? ` https://${process.env.API_HOST} wss://${process.env.API_HOST}` : ''}`
+const apiHost = process.env.API_HOST;
+const cspDefaultSrc = `'self'${apiHost ? ` https://${apiHost} wss://${apiHost}` : ''}`
 
 function setStaticFileHeaders(ctx) {
   ctx.set({

server/yarn.lock

@@ -3502,7 +3502,7 @@ jsprim@^1.2.2:
     json-schema "0.2.3"
     verror "1.10.0"
 
-kcors@2:
+kcors@^2.2.2:
   version "2.2.2"
   resolved "https://registry.yarnpkg.com/kcors/-/kcors-2.2.2.tgz#b6250e7a4f0a33c8f477b7fd0dfa11a3f3ca518d"
   integrity sha512-rIqbKa2S0gT0wC/790jsQM6hNpABHBNWQ7+XYS1xJV6zOGxlanW+RtCmlDn6wPZsGpRk371yy8abfBgl2OTavg==