From 68ea9bf01efdf411e20998029e917d09f6d87bb1 Mon Sep 17 00:00:00 2001 From: Teppo Kurki Date: Tue, 10 Oct 2023 21:40:58 +0300 Subject: [PATCH] feature: echo wildcard CORS origin Add the ability to specify * as an allowed CORS origin, making the server echo back the origin in Access-Control-Allow-Origin header so that we can use credentials in client requests and security works. --- .../src/views/security/Settings.js | 18 +++++++++------- src/cors.ts | 21 +++++++++++++------ 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/packages/server-admin-ui/src/views/security/Settings.js b/packages/server-admin-ui/src/views/security/Settings.js index cae4b3c92..1d4ca7bf4 100644 --- a/packages/server-admin-ui/src/views/security/Settings.js +++ b/packages/server-admin-ui/src/views/security/Settings.js @@ -210,13 +210,14 @@ class Settings extends Component { {' '} @@ -232,7 +233,8 @@ class Settings extends Component { value={this.state.allowedCorsOrigins} /> - Use comma delimited list, example: + Use either * or a comma delimited list of origins, + example: http://host1.name.com:3000,http://host2.name.com:3000 diff --git a/src/cors.ts b/src/cors.ts index c38cbd580..2ca5deba4 100644 --- a/src/cors.ts +++ b/src/cors.ts @@ -10,19 +10,28 @@ export function setupCors( const corsDebug = createDebug('signalk-server:cors') const corsOptions: CorsOptions = { - credentials: true, + credentials: true } + const corsOrigins = allowedCorsOrigins ? allowedCorsOrigins .split(',') .map((s: string) => s.trim().replace(/\/*$/, '')) : [] - corsDebug(`corsOrigins:${corsOrigins.toString()}`) - // set origin only if corsOrigins are set so that - // we get the default cors module functionality - // for simple requests by default - if (corsOrigins.length) { + + // default wildcard cors configuration does not work + // with credentials:include client requests, so add + // our own wildcard rule that will match all origins + // but respond with that origin, not the default * + if (allowedCorsOrigins?.startsWith('*')) { + corsOptions.origin = (origin: string | undefined, cb) => cb(null, origin) + corsDebug('Allowing all origins') + } else if (corsOrigins.length > 0) { + // set origin only if corsOrigins are set so that + // we get the default cors module functionality + // for simple requests by default corsOptions.origin = corsOrigins + corsDebug(`corsOrigins:${corsOrigins.toString()}`) } app.use(cors(corsOptions))