CORS fixes (#72)

* Add SITE_URL env var * Debug git branch * Set site URL to "false" * Bug fix * Fix CORS allowed methods * Upgrade kcors * Fix for API HOST in review apps * Review app fixes * Add bin/bash * Refactor site URL code * Cleanup API host
2025-07-18 02:44:01 +00:00 · 2019-05-19 16:42:30 -04:00 · 2019-05-19 16:42:30 -04:00 · 8cd079ea8e
commit 8cd079ea8e
parent a6c519e2f0
7 changed files with 39 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 node_modules
 *.log
 *sublime*
+*.rdb
--- a/app.json
+++ b/app.json
@ -9,6 +9,12 @@
  "website": "https://darkwire.io",
  "repository": "https://github.com/darkwire/darkwire.io",
  "env": {
+    "HEROKU_APP_NAME": {
+      "required": true
+    },
+    "HEROKU_PARENT_APP_NAME": {
+      "required": true
+    },
    "MAILGUN_API_KEY": {
      "description": "Mailgun API Key (only required for abuse reporting)",
      "required": false
@ -38,6 +44,10 @@
      "description": "Example: 443",
      "required": false,
      "value": "443"
+    },
+    "SITE_URL": {
+      "description": "Full URL of site. Example: https://darkwire.io",
+      "required": false
    }
  },
  "image": "heroku/nodejs",
--- a/build.sh
+++ b/build.sh
@ -1,8 +1,17 @@
+#!/bin/bash
+
+api_host=$API_HOST
+
+if [[ "$HEROKU_APP_NAME" =~ "-pr-" ]]
+then
+  api_host=""
+fi
+
 echo "building client..."
 cd client
 yarn  --production=false
 REACT_APP_COMMIT_SHA=$SOURCE_VERSION \
-REACT_APP_API_HOST=$API_HOST \
+REACT_APP_API_HOST=$api_host \
 REACT_APP_API_PROTOCOL=$API_PROTOCOL \
 REACT_APP_API_PORT=$API_PORT \
 yarn build
--- a/server/.env.sample
+++ b/server/.env.sample
@ -5,3 +5,4 @@ ABUSE_FROM_EMAIL_ADDRESS=Darkwire <no-reply@darkwire.io>
 REDIS_URL=redis://localhost:6379
 CLIENT_DIST_DIRECTORY='client/dist/path'
 ROOM_HASH_SECRET='some-uuid'
+SITE_URL=https://darkwire.io
--- a/server/package.json
+++ b/server/package.json
@ -16,7 +16,7 @@
    "@babel/runtime": "^7.4.4",
    "bluebird": "^3.5.1",
    "dotenv": "^8.0.0",
-    "kcors": "2",
+    "kcors": "^2.2.2",
    "koa": "^2.3.0",
    "koa-body": "^2.3.0",
    "koa-router": "^7.2.1",
--- a/server/src/index.js
+++ b/server/src/index.js
@ -30,9 +30,17 @@ const PORT = process.env.PORT || 3001;
 const router = new Router();
 const koaBody = new KoaBody();

-app.use(cors({
-  credentials: true,
-}));
+const appName = process.env.HEROKU_APP_NAME;
+const isReviewApp = /-pr-/.test(appName);
+const siteURL = process.env.SITE_URL;
+
+if ((siteURL || env === 'development') && !isReviewApp) {
+  app.use(cors({
+    origin: env === 'development' ? '*' : siteURL,
+    allowMethods: ['GET','HEAD','POST'],
+    credentials: true,
+  }));
+}

 router.post('/handshake', koaBody, async (ctx) => {
  const { body } = ctx.request;
@ -77,7 +85,8 @@ router.post('/abuse/:roomId', koaBody, async (ctx) => {

 app.use(router.routes());

-const cspDefaultSrc = `'self'${process.env.API_HOST ? ` https://${process.env.API_HOST} wss://${process.env.API_HOST}` : ''}`
+const apiHost = process.env.API_HOST;
+const cspDefaultSrc = `'self'${apiHost ? ` https://${apiHost} wss://${apiHost}` : ''}`

 function setStaticFileHeaders(ctx) {
  ctx.set({
--- a/server/yarn.lock
+++ b/server/yarn.lock
@ -3502,7 +3502,7 @@ jsprim@^1.2.2:
    json-schema "0.2.3"
    verror "1.10.0"

-kcors@2:
+kcors@^2.2.2:
  version "2.2.2"
  resolved "https://registry.yarnpkg.com/kcors/-/kcors-2.2.2.tgz#b6250e7a4f0a33c8f477b7fd0dfa11a3f3ca518d"
  integrity sha512-rIqbKa2S0gT0wC/790jsQM6hNpABHBNWQ7+XYS1xJV6zOGxlanW+RtCmlDn6wPZsGpRk371yy8abfBgl2OTavg==