Merge pull request #244 from NIAEFEUP/feature/setup-heroku-netlify

DoStini · web-flow · commit ceb5ef283398 · 2023-02-12T00:56:45.000Z
Allow requests with cors specified in a list of regexes or urls and setup heroku
diff --git a/.env b/.env
@@ -32,8 +32,10 @@ TEST_LOG_REQUESTS=false
 # Default admin credentials - ALSO OVERRIDE IN PRODUCTION
 ADMIN_EMAIL=ni@aefeup.pt
 ADMIN_PASSWORD=n1j0bs_ftw.12345
-#CORS allowed origin - OVERRIDE IN PRODUCTION
-ACCESS_CONTROL_ALLOW_ORIGIN= 
+
+# List of regexes or url's specifying allowed origins. Example:
+# ACCESS_CONTROL_ALLOW_ORIGINS=["https:\\/\\/deploy-preview-\\d+--nijobs\\.netlify\\.app", "https://nijobs.netlify.app"]
+ACCESS_CONTROL_ALLOW_ORIGINS=
 
 # Mail service information. If you don't provide a MAIL_FROM, no emails will be sent. The app will execute no-ops and won't crash
 # However, if you want to send emails, you need to fill all of the following 2 fields
@@ -52,4 +54,4 @@ CLOUDINARY_URL=
 WEBSERVER_HOST=https://localhost:8087
 
 # Path to save file uploads, the path must be relative to the root of the project - Defaults to static
-UPLOAD_FOLDER=
+UPLOAD_FOLDER=
diff --git a/README.md b/README.md
@@ -27,4 +27,5 @@ Made with ❤️ by NIAEFEUP.
 To start developing, please check the [documentation](https://nijobs-docs.netlify.app/intro/getting-started) on how to configure your local development.
 
 ## License
+
 [GNU General Public License v3.0](https://choosealicense.com/licenses/gpl-3.0/)
diff --git a/documentation/docs/intro/getting-started.md b/documentation/docs/intro/getting-started.md
@@ -34,6 +34,16 @@ To start developing, copy `.env` to `.env.local` (by running `cp .env .env.local
 
 Then, you can override the variable's values, according to their explanation in `.env`.
 
+Whenever the file is updated, the server needs to be restarted for changes to have effect.
+
+
+### Cors Setup
+
+In order to allow requests from multiple clients, an array of URL's or regexes can be defined by `ACCESS_CONTROL_ALLOW_ORIGINS`. This is an important step regarding connecting the frontend and the backend of the project. It is crucial that all URL's have no trailing `/`. Example:
+
+```
+ACCESS_CONTROL_ALLOW_ORIGINS=["https:\/\/localhost:3000", "https:\\/\\/deploy-preview-\\d+--nijobs\\.netlify\\.app", "https://nijobs.netlify.app"]
+```
 
 ## Usage
 
diff --git a/package.json b/package.json
@@ -6,6 +6,7 @@
   "type": "module",
   "scripts": {
     "start": "nodemon src/index.js",
+    "heroku-start": "cp .env.public.heroku .env && node src/index.js",
     "prod": "NODE_ENV=production node src/index.js",
     "lint": "eslint src test --max-warnings 0",
     "lint-fix": "npm run lint -- --fix",
diff --git a/src/config/env.js b/src/config/env.js
@@ -28,7 +28,7 @@ export default Object.freeze({
     test_log_requests: JSON.parse(process.env.TEST_LOG_REQUESTS),
     admin_email: process.env.ADMIN_EMAIL,
     admin_password: process.env.ADMIN_PASSWORD,
-    access_control_allow_origin: process.env.ACCESS_CONTROL_ALLOW_ORIGIN || "*",
+    access_control_allow_origins: JSON.parse(process.env.ACCESS_CONTROL_ALLOW_ORIGINS || "[]"),
 
     // Mail
     mail_from: process.env.MAIL_FROM,
diff --git a/src/loaders/express.js b/src/loaders/express.js
@@ -49,7 +49,7 @@ export default (app) => {
 
     // Set the API call rate limit only on production
     if (process.env.NODE_ENV === "production") {
-        const api_rate_limiter = new RateLimit({
+        const api_rate_limiter = RateLimit({
             store: new MongoStore({
                 uri: config.db_uri,
                 user: config.db_user,
@@ -76,9 +76,22 @@ export default (app) => {
     }
 
     // Adding headers (CORS)
-    app.use((_, res, next) => {
-        // Allow connections for all origins
-        res.setHeader("Access-Control-Allow-Origin", config.access_control_allow_origin);
+    app.use((req, res, next) => {
+        res.setHeader("Access-Control-Allow-Origin", "null");
+
+        // Allow requests from connections specified by the allow list regexes
+        const origin = req.header("origin");
+        if (origin) {
+            const originAllowed = config.access_control_allow_origins.find(
+                (allowOrigin) => origin.match(new RegExp(`^${allowOrigin}$`, "g")) // Match full string using ^ and $
+            );
+
+            if (originAllowed) {
+                res.setHeader("Access-Control-Allow-Origin", origin);
+            }
+        }
+
+
         // Allowed request methods
         res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PUT, PATCH, DELETE");
         // Allowed request headers
