Merge pull request #42 from GBSL-Informatik/feature/configurable-cors

lebalz · web-flow · commit e2035607dfc4 · 2025-05-19T10:47:33.000+02:00
feature: configurable cors config
diff --git a/.example.env b/.example.env
@@ -1,7 +1,8 @@
 DATABASE_URL="postgresql://user:pw@localhost:5432/teaching_website"
 USER_ID="b6651212-0765-4d1c-ba5c-71632bf53d2a"
 USER_EMAIL="Max.Muster@gbsl.ch"
-FRONTEND_URL="http://localhost:3000"
+ALLOWED_ORIGINS="http://localhost:3000"
+ALLOW_SUBDOMAINS="false"
 MSAL_CLIENT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 MSAL_TENANT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 ADMIN_USER_GROUP_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
diff --git a/README.md b/README.md
@@ -71,7 +71,8 @@ to format all typescript files.
 | `USER_ID`              | The UUID of the user to be created on seeding. \*                                                                                                                                               | `fc0dfc19-d4a3-4354-afef-b5706046b368`              |
 | `NO_AUTH`              | If set (and not running `production` mode), clients can authenticate as any user by supplying `{'email': 'some@email.ch'}` in the `Auhorization` header, for any user email in the database\*\* | `NO_AUTH=true`                                      |
 | `PORT`                 | (optional) The port the server should listen on.                                                                                                                                                | `3002` (default)                                    |
-| `FRONTEND_URL`         | The URL of the frontend.                                                                                                                                                                        | `http://localhost:3000`                             |
+| `ALLOWED_ORIGINS`      | A comma-separated list of origins allowed to access the api. E.g. teaching-dev.gbsl.website                                                                                                     | `localhost:3000`                                    |
+| `ALLOW_SUBDOMAINS`     | Wheter subdomains from `ALLOWED_DOMAINS` should be granted access too.                                                                                                                          | `false`                                             |
 | `SESSION_SECRET`       | The secret for the session cookie.\*\*\*                                                                                                                                                        | `secret`                                            |
 | `MSAL_CLIENT_ID`       | The client id for the web api from Azure.                                                                                                                                                       |                                                     |
 | `MSAL_TENANT_ID`       | The Tenant ID from your Azure instance                                                                                                                                                          |                                                     |
@@ -261,7 +262,8 @@ dokku config:set dev-teaching-api MSAL_CLIENT_ID="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXX
 dokku config:set dev-teaching-api MSAL_TENANT_ID="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
 dokku config:set --no-restart dev-teaching-api DOKKU_LETSENCRYPT_EMAIL="foo@bar.ch"
 dokku config:set dev-teaching-api SESSION_SECRET="$(openssl rand -base64 32)"
-dokku config:set dev-teaching-api FRONTEND_URL="https://..."
+dokku config:set dev-teaching-api ALLOWED_ORIGINS="tdev.tld"
+dokku config:set dev-teaching-api ALLOW_SUBDOMAINS="false"
 
 mkdir /home/dokku/dev-teaching-api/nginx.conf.d/
 echo 'client_max_body_size 5m;' > /home/dokku/dev-teaching-api/nginx.conf.d/upload.conf
diff --git a/bin/create-dokku.sh b/bin/create-dokku.sh
@@ -15,8 +15,8 @@ read -p "Enter MSAL_TENANT_ID: " MSAL_TENANT_ID
 # Prompt for DOKKU_LETSENCRYPT_EMAIL
 read -p "Enter DOKKU_LETSENCRYPT_EMAIL: " LETSENCRYPT_EMAIL
 
-# Prompt for FRONTEND_URL
-read -p "Enter FRONTEND_URL: " FRONTEND_URL
+# Prompt for D
+read -p "Enter ALLOWED_ORIGINS: " ALLOWED_ORIGINS
 
 # Prompt for AWS backup credentials
 read -p "Enter AWS access key ID for backup: " AWS_ACCESS_KEY
@@ -43,7 +43,7 @@ dokku config:set $APP_NAME MSAL_CLIENT_ID="$MSAL_CLIENT_ID"
 dokku config:set $APP_NAME MSAL_TENANT_ID="$MSAL_TENANT_ID"
 dokku config:set --no-restart $APP_NAME DOKKU_LETSENCRYPT_EMAIL="$LETSENCRYPT_EMAIL"
 dokku config:set $APP_NAME SESSION_SECRET="$SESSION_SECRET"
-dokku config:set $APP_NAME FRONTEND_URL="$FRONTEND_URL"
+dokku config:set $APP_NAME ALLOWED_ORIGINS="$ALLOWED_ORIGINS"
 
 # Configure nginx for file uploads
 mkdir -p /home/dokku/$APP_NAME/nginx.conf.d/
diff --git a/src/app.ts b/src/app.ts
@@ -16,6 +16,7 @@ import connectPgSimple from 'connect-pg-simple';
 import Logger from './utils/logger';
 import type { ClientToServerEvents, ServerToClientEvents } from './routes/socketEventTypes';
 import type { Server } from 'socket.io';
+import { CORS_ORIGIN, SAME_SITE } from './utils/originConfig';
 
 const AccessRules = createAccessRules(authConfig.accessMatrix);
 
@@ -29,17 +30,6 @@ const app = express();
 export const API_VERSION = 'v1';
 export const API_URL = `/api/${API_VERSION}`;
 
-const HOSTNAME = new URL(process.env.FRONTEND_URL || 'http://localhost:3000').hostname;
-const domainParts = HOSTNAME.split('.');
-const domain = domainParts.slice(domainParts.length - 2).join('.'); /** foo.bar.ch --> domain is bar.ch */
-const CORS_APP = domain.split('.')[1]
-    ? new RegExp(`https://(.*\.)?${domain.split('.')[0]}\\.${domain.split('.')[1]}$`, 'i')
-    : 'http://localhost:3000';
-const CORS_NETLIFY = process.env.NETLIFY_PROJECT_NAME
-    ? new RegExp(`https://deploy-preview-\\d+--${process.env.NETLIFY_PROJECT_NAME}\\.netlify\\.app$`, 'i')
-    : undefined;
-export const CORS_ORIGIN = [HOSTNAME, CORS_APP, CORS_NETLIFY].filter((rule) => !!rule) as (string | RegExp)[];
-
 /**
  *  this is not needed when running behind a reverse proxy
  *  as is the case with dokku (nginx)
@@ -85,8 +75,7 @@ export const sessionMiddleware = session({
     cookie: {
         secure: process.env.NODE_ENV === 'production',
         httpOnly: true,
-        sameSite: process.env.NETLIFY_PROJECT_NAME ? 'none' : 'strict',
-        domain: domain.length > 0 ? domain : undefined,
+        sameSite: SAME_SITE,
         maxAge: SESSION_MAX_AGE // 30 days
     }
 });
diff --git a/src/server.ts b/src/server.ts
@@ -1,4 +1,4 @@
-import app, { configure, CORS_ORIGIN, sessionMiddleware } from './app';
+import app, { configure, sessionMiddleware } from './app';
 import http from 'http';
 import Logger from './utils/logger';
 import { Server } from 'socket.io';
@@ -8,6 +8,7 @@ import EventRouter from './routes/socketEvents';
 import { NextFunction, Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import { HTTP403Error } from './utils/errors/Errors';
+import { CORS_ORIGIN } from './utils/originConfig';
 
 const PORT = process.env.PORT || 3002;
 
diff --git a/src/utils/originConfig.ts b/src/utils/originConfig.ts
@@ -0,0 +1,58 @@
+const DEV_ORIGIN = 'localhost:3000';
+
+/**
+ * splits the origins and removes duplicates
+ */
+const splitOrigins = (origins: string) => {
+    return [
+        ...new Set(
+            origins
+                .split(',')
+                .map((origin) => origin.trim())
+                .filter(Boolean)
+        )
+    ];
+};
+
+// Read CORS configuration from environment variables
+const allowedOrigins = process.env.ALLOWED_ORIGINS ? splitOrigins(process.env.ALLOWED_ORIGINS) : [DEV_ORIGIN];
+const allowSubdomains = process.env.ALLOW_SUBDOMAINS === 'true';
+const netlifyProjectName = process.env.NETLIFY_PROJECT_NAME;
+
+// Build the CORS origin array
+export const CORS_ORIGIN: (string | RegExp)[] = [];
+
+const isLoclhost = (origin: string) => {
+    return origin.startsWith('localhost') || origin.startsWith('127.0.0.1');
+};
+
+// Process additional allowed origins
+allowedOrigins.forEach((origin) => {
+    origin = origin.trim();
+
+    if (!origin) {
+        return;
+    }
+    if (isLoclhost(origin)) {
+        return CORS_ORIGIN.push(`http://${origin}`);
+    }
+
+    if (allowSubdomains) {
+        // Escape dots and create regex for domain with optional subdomains
+        const escapedDomain = origin.replace(/\./g, '\\.');
+        CORS_ORIGIN.push(new RegExp(`^https?://(.*\\.)?${escapedDomain}$`, 'i'));
+    } else {
+        // Add exact domain match (ensuring it has protocol)
+        if (!origin.startsWith('http')) {
+            origin = `https://${origin}`;
+        }
+        CORS_ORIGIN.push(origin);
+    }
+});
+
+// Add Netlify deploy previews if enabled
+if (netlifyProjectName) {
+    CORS_ORIGIN.push(new RegExp(`https://deploy-preview-\\d+--${netlifyProjectName}\\.netlify\\.app$`, 'i'));
+}
+
+export const SAME_SITE = allowedOrigins.length > 1 ? 'none' : 'strict';
