fix(core): Fix CORS issue in waiting webhook responses (#23861)

Co-authored-by: Shashwat <[email protected]>
Co-authored-by: Michael Kret <[email protected]>
Co-authored-by: Michael Kret <[email protected]>

Author: 3 people

packages/cli/src/utils/__tests__/cors.util.test.ts

@@ -0,0 +1,135 @@
+import type { Request, Response } from 'express';
+
+import { applyCors } from '../cors.util';
+
+describe('applyCors', () => {
+	let mockReq: Partial<Request>;
+	let mockRes: Partial<Response>;
+	let setHeaderSpy: jest.Mock;
+	let getHeaderSpy: jest.Mock;
+
+	beforeEach(() => {
+		setHeaderSpy = jest.fn();
+		getHeaderSpy = jest.fn();
+
+		mockReq = {
+			headers: {},
+		};
+
+		mockRes = {
+			setHeader: setHeaderSpy,
+			getHeader: getHeaderSpy,
+		};
+	});
+
+	afterEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('should not modify headers if Access-Control-Allow-Origin is already set', () => {
+		getHeaderSpy.mockReturnValue('https://example.com');
+		mockReq.headers = { origin: 'https://test.com' };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(getHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin');
+		expect(setHeaderSpy).not.toHaveBeenCalled();
+	});
+
+	it('should set Access-Control-Allow-Origin to * when origin is undefined', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		mockReq.headers = {};
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', '*');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+		expect(setHeaderSpy).toHaveBeenCalledTimes(3);
+	});
+
+	it('should set Access-Control-Allow-Origin to * when origin is "null"', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		mockReq.headers = { origin: 'null' };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', '*');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+		expect(setHeaderSpy).toHaveBeenCalledTimes(3);
+	});
+
+	it('should set Access-Control-Allow-Origin to the request origin when origin is provided', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		const origin = 'https://example.com';
+		mockReq.headers = { origin };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', origin);
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+		expect(setHeaderSpy).toHaveBeenCalledTimes(3);
+	});
+
+	it('should set Access-Control-Allow-Origin to the request origin with localhost', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		const origin = 'http://localhost:3000';
+		mockReq.headers = { origin };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', origin);
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+		expect(setHeaderSpy).toHaveBeenCalledTimes(3);
+	});
+
+	it('should set Access-Control-Allow-Origin to the request origin with custom port', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		const origin = 'https://app.example.com:8080';
+		mockReq.headers = { origin };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', origin);
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+		expect(setHeaderSpy).toHaveBeenCalledTimes(3);
+	});
+
+	it('should handle IP address as origin', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		const origin = 'http://192.168.1.1:5000';
+		mockReq.headers = { origin };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', origin);
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+		expect(setHeaderSpy).toHaveBeenCalledTimes(3);
+	});
+
+	it('should always set Allow-Methods and Allow-Headers when origin is present', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		const origin = 'https://trusted-domain.com';
+		mockReq.headers = { origin };
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+	});
+
+	it('should always set Allow-Methods and Allow-Headers when origin is not present', () => {
+		getHeaderSpy.mockReturnValue(undefined);
+		mockReq.headers = {};
+
+		applyCors(mockReq as Request, mockRes as Response);
+
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+		expect(setHeaderSpy).toHaveBeenCalledWith('Access-Control-Allow-Headers', 'Content-Type');
+	});
+});

packages/cli/src/utils/cors.util.ts

@@ -0,0 +1,18 @@
+import type { Request, Response } from 'express';
+
+export function applyCors(req: Request, res: Response) {
+	if (res.getHeader('Access-Control-Allow-Origin')) {
+		return;
+	}
+
+	const origin = req.headers.origin;
+
+	if (!origin || origin === 'null') {
+		res.setHeader('Access-Control-Allow-Origin', '*');
+	} else {
+		res.setHeader('Access-Control-Allow-Origin', origin);
+	}
+
+	res.setHeader('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
+	res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+}

packages/cli/src/webhooks/__tests__/waiting-forms.test.ts

@@ -246,10 +246,32 @@ describe('WaitingForms', () => {
 
 			await waitingForms.executeWebhook(req, res);
 
-			expect(res.header).toHaveBeenCalledWith('Access-Control-Allow-Origin', 'null');
+			expect(res.setHeader).toHaveBeenCalledWith('Access-Control-Allow-Origin', '*');
 		});
 
-		it('should not set CORS headers when origin header is missing for status endpoint', async () => {
+		it('should not override existing Access-Control-Allow-Origin header', async () => {
+			const execution = mock<IExecutionResponse>({
+				status: 'success',
+			});
+			executionRepository.findSingleExecution.mockResolvedValue(execution);
+
+			const req = mock<WaitingWebhookRequest>({
+				headers: { origin: 'null' },
+				params: {
+					path: '123',
+					suffix: WAITING_FORMS_EXECUTION_STATUS,
+				},
+			});
+
+			const res = mock<express.Response>();
+			res.setHeader.mockImplementation(() => res);
+			res.getHeader.mockReturnValue('https://example.com');
+
+			await waitingForms.executeWebhook(req, res);
+
+			expect(res.setHeader).not.toHaveBeenCalledWith('Access-Control-Allow-Origin', '*');
+		});
+		it('should set CORS headers to wildcard when origin header is missing for status endpoint', async () => {
 			const execution = mock<IExecutionResponse>({
 				status: 'success',
 			});
@@ -267,7 +289,7 @@ describe('WaitingForms', () => {
 
 			await waitingForms.executeWebhook(req, res);
 
-			expect(res.header).not.toHaveBeenCalledWith('Access-Control-Allow-Origin', expect.anything());
+			expect(res.setHeader).toHaveBeenCalledWith('Access-Control-Allow-Origin', '*');
 		});
 
 		it('should not set CORS headers for non-status endpoints', async () => {
@@ -317,7 +339,10 @@ describe('WaitingForms', () => {
 
 			await waitingForms.executeWebhook(req, res);
 
-			expect(res.header).not.toHaveBeenCalledWith('Access-Control-Allow-Origin', expect.anything());
+			expect(res.setHeader).not.toHaveBeenCalledWith(
+				'Access-Control-Allow-Origin',
+				expect.anything(),
+			);
 		});
 
 		it('should handle old executions with missing activeVersionId field when active=true', () => {

packages/cli/src/webhooks/waiting-forms.ts

@@ -17,6 +17,7 @@ import { WaitingWebhooks } from '@/webhooks/waiting-webhooks';
 
 import { sanitizeWebhookRequest } from './webhook-request-sanitizer';
 import type { IWebhookResponseCallbackData, WaitingWebhookRequest } from './webhook.types';
+import { applyCors } from '@/utils/cors.util';
 
 @Service()
 export class WaitingForms extends WaitingWebhooks {
@@ -97,9 +98,7 @@ export class WaitingForms extends WaitingWebhooks {
 				}
 			}
 
-			if (req.headers.origin) {
-				res.header('Access-Control-Allow-Origin', req.headers.origin);
-			}
+			applyCors(req, res);
 
 			res.send(status);
 			return { noWebhookResponse: true };
@@ -148,6 +147,8 @@ export class WaitingForms extends WaitingWebhooks {
 			}
 		}
 
+		applyCors(req, res);
+
 		return await this.getWebhookExecutionData({
 			execution,
 			req,

packages/cli/src/webhooks/waiting-webhooks.ts

@@ -33,6 +33,7 @@ import { getWorkflowActiveStatusFromWorkflowData } from '@/executions/execution.
 import { NodeTypes } from '@/node-types';
 import * as WebhookHelpers from '@/webhooks/webhook-helpers';
 import * as WorkflowExecuteAdditionalData from '@/workflow-execute-additional-data';
+import { applyCors } from '@/utils/cors.util';
 
 /**
  * Service for handling the execution of webhooks of Wait nodes that use the
@@ -170,6 +171,8 @@ export class WaitingWebhooks implements IWebhookManager {
 
 		const lastNodeExecuted = execution.data.resultData.lastNodeExecuted as string;
 
+		applyCors(req, res);
+
 		return await this.getWebhookExecutionData({
 			execution,
 			req,