Merge pull request #4297 from coralproject/fix/comment-oembed-cors

[CORL-2872]: Add cors to single comment embed oembed endpoint
coralproject · Jul 19, 2023 · da6cfaf · da6cfaf
2 parents 9de5be9 + d9cef98
commit da6cfaf
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/src/core/server/app/middleware/commentEmbedWhitelisted.ts b/src/core/server/app/middleware/commentEmbedWhitelisted.ts
@@ -1,8 +1,11 @@
-import { AppOptions } from "coral-server/app";
+import { CorsOptionsDelegate } from "cors";
+
+import { MongoContext } from "coral-server/data/context";
 import { retrieveComment } from "coral-server/models/comment";
 import { retrieveSite } from "coral-server/models/site";
-import { RequestHandler } from "coral-server/types/express";
+import { Request, RequestHandler } from "coral-server/types/express";
 
+import { AppOptions } from "..";
 import { getRequesterOrigin } from "../helpers";
 
 export const commentEmbedWhitelisted =
@@ -29,7 +32,10 @@ export const commentEmbedWhitelisted =
       if (siteID) {
         const site = await retrieveSite(mongo, tenant.id, siteID);
         if (site) {
-          const origin = getRequesterOrigin(req);
+          let origin: string | null | undefined = getRequesterOrigin(req);
+          if (!origin) {
+            origin = req.header("Origin");
+          }
           if (origin) {
             if (site.allowedOrigins.includes(origin)) {
               return next();
@@ -40,3 +46,24 @@ export const commentEmbedWhitelisted =
     }
     res.sendStatus(401);
   };
+
+/**
+ * Creates the options for the "cors" middleware which whitelists
+ * site origins for the single comment embed.
+ *
+ * @param mongo the database connection
+ * @returns CorsOptionsDelegate
+ */
+export function createCommentEmbedCorsOptionsDelegate(
+  mongo: MongoContext
+): CorsOptionsDelegate {
+  return async (req: Request, callback) => {
+    const originHeader = req.header("Origin");
+    const tenantID = req.coral.tenant?.id;
+    if (!originHeader || !tenantID) {
+      callback(null, { origin: false }); // disable CORS for this request
+      return;
+    }
+    callback(null, { origin: true });
+  };
+}
diff --git a/src/core/server/app/router/api/index.ts b/src/core/server/app/router/api/index.ts
@@ -1,3 +1,4 @@
+import cors from "cors";
 import express from "express";
 import passport from "passport";
 
@@ -12,6 +13,7 @@ import {
   authenticate,
   commentEmbedWhitelisted,
   corsWhitelisted,
+  createCommentEmbedCorsOptionsDelegate,
   cspSiteMiddleware,
   JSONErrorHandler,
   jsonMiddleware,
@@ -96,6 +98,7 @@ export function createAPIRouter(app: AppOptions, options: RouterOptions) {
   router.get(
     "/services/oembed",
     commentEmbedWhitelisted(app),
+    cors(createCommentEmbedCorsOptionsDelegate(app.mongo)),
     oembedProviderHandler(app)
   );
   router.get(