generalize cors policy

Author: lebalz

README.md

@@ -53,7 +53,7 @@ to format all typescript files.
 | `MSAL_CLIENT_ID`       | The client id for the web api from Azure.                                                                                                                                                       |                                                     |
 | `MSAL_TENANT_ID`       | The Tenant ID from your Azure instance                                                                                                                                                          |                                                     |
 | `APP_NAME`             | The name of the app. Used for the cookie name prefix `{APP_NAME}ApiKey`                                                                                                                         | `xyzTeaching`, default: `twa`                       |
-| `WITH_DEPLOY_PREVIEW`  | When set to `true`, the app will allow requests from `https://deploy-preview-\d+--teaching-dev.netlify.app` and use `sameSite=none` instead of strict.                                          |                                                     |
+| `NETLIFY_PROJECT_NAME`  | When set to the netlify project name (e.g. `teaching-dev`), the app will allow requests from `https://deploy-preview-\d+--teaching-dev.netlify.app` and use `sameSite=none` instead of strict.                                          |                                                     |
 | `ADMIN_USER_GROUP_ID`  | The UUID of the group that should be used as the admin group. For this group a RW-Permission will be always added to a newly created document root when it's access is not RW                   | default: ""                                         |
 | `GITHUB_CLIENT_SECRET` | Used for the CMS to work properly. Register an app under https://github.com/settings/apps.                                                                                                      |                                                     |
 | `GITHUB_CLIENT_ID`     |                                                                                                                                                                                                 |                                                     |

src/app.ts

@@ -29,6 +29,14 @@ const app = express();
 export const API_VERSION = 'v1';
 export const API_URL = `/api/${API_VERSION}`;
 
+
+const HOSTNAME = new URL(process.env.FRONTEND_URL || 'http://localhost:3000').hostname;
+const domainParts = HOSTNAME.split('.');
+const domain = domainParts.slice(domainParts.length - 2).join('.'); /** foo.bar.ch --> domain is bar.ch */
+const CORS_APP = new RegExp(`https://(.*\.)?${domain.split('.')[0]}\.${domain.split('.')[1] || ':3000'}$`, 'i')
+const CORS_NETLIFY = process.env.NETLIFY_PROJECT_NAME ? new RegExp(`https://deploy-preview-\\d+--${process.env.NETLIFY_PROJECT_NAME}\\.netlify\\.app$`, 'i') : undefined;
+export const CORS_ORIGIN = [HOSTNAME, CORS_APP, CORS_NETLIFY].filter(rule => !!rule) as (string | RegExp)[];
+
 /**
  *  this is not needed when running behind a reverse proxy
  *  as is the case with dokku (nginx)
@@ -39,10 +47,9 @@ export const API_URL = `/api/${API_VERSION}`;
 app.use(
     cors({
         credentials: true,
-        origin: process.env.WITH_DEPLOY_PREVIEW
-            ? [process.env.FRONTEND_URL || true, /https:\/\/deploy-preview-\d+--teaching-dev.netlify.app/]
-            : process.env.FRONTEND_URL || true /* true = strict origin */,
-        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD']
+        origin: CORS_ORIGIN,
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD'],
+
     })
 );
 
@@ -56,10 +63,6 @@ const store = new (connectPgSimple(session))({
     tableName: 'sessions'
 });
 
-const HOSTNAME = new URL(process.env.FRONTEND_URL || 'http://localhost:3000').hostname;
-const domainParts = HOSTNAME.split('.');
-const domain = domainParts.slice(domainParts.length - 2).join('.'); /** foo.bar.ch --> domain is bar.ch */
-
 const SESSION_MAX_AGE = 2592000000 as const; // 1000 * 60 * 60 * 24 * 30 = 2592000000 = 30 days
 
 /** make sure to have 1 (reverse) proxy in front of the application
@@ -80,7 +83,7 @@ export const sessionMiddleware = session({
     cookie: {
         secure: process.env.NODE_ENV === 'production',
         httpOnly: true,
-        sameSite: process.env.WITH_DEPLOY_PREVIEW ? 'none' : 'strict',
+        sameSite: process.env.NETLIFY_PROJECT_NAME ? 'none' : 'strict',
         domain: domain.length > 0 ? domain : undefined,
         maxAge: SESSION_MAX_AGE // 30 days
     }

src/server.ts

@@ -1,4 +1,4 @@
-import app, { configure, sessionMiddleware } from './app';
+import app, { configure, CORS_ORIGIN, sessionMiddleware } from './app';
 import http from 'http';
 import Logger from './utils/logger';
 import { Server } from 'socket.io';
@@ -12,13 +12,10 @@ import { HTTP403Error } from './utils/errors/Errors';
 const PORT = process.env.PORT || 3002;
 
 const server = http.createServer(app);
-const corsOrigin = process.env.WITH_DEPLOY_PREVIEW
-    ? [process.env.FRONTEND_URL || true, /https:\/\/deploy-preview-\d+--teaching-dev.netlify.app/]
-    : process.env.FRONTEND_URL || true; /* true = strict origin */
 
 const io = new Server<ClientToServerEvents, ServerToClientEvents>(server, {
     cors: {
-        origin: corsOrigin,
+        origin: CORS_ORIGIN,
         credentials: true,
         methods: ['GET', 'POST', 'PUT', 'DELETE']
     },