From 25d5827e54823d91fc335678795f609cf97c27bd Mon Sep 17 00:00:00 2001 From: Kathryn Beaty Date: Tue, 18 Jul 2023 13:58:06 -0400 Subject: [PATCH 1/2] add cors to oembed endpoint --- src/core/server/app/router/api/index.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core/server/app/router/api/index.ts b/src/core/server/app/router/api/index.ts index c09d0ace6a..24edb15801 100644 --- a/src/core/server/app/router/api/index.ts +++ b/src/core/server/app/router/api/index.ts @@ -1,3 +1,4 @@ +import cors from "cors"; import express from "express"; import passport from "passport"; @@ -95,6 +96,7 @@ export function createAPIRouter(app: AppOptions, options: RouterOptions) { router.get("/oembed", cspSiteMiddleware(app), oembedHandler(app)); router.get( "/services/oembed", + cors(), commentEmbedWhitelisted(app), oembedProviderHandler(app) ); From d9cef98178851bcd8a47ef74f362747a85aa524c Mon Sep 17 00:00:00 2001 From: Kathryn Beaty Date: Wed, 19 Jul 2023 09:09:16 -0400 Subject: [PATCH 2/2] update oembed cors options to delegate site --- .../app/middleware/commentEmbedWhitelisted.ts | 33 +++++++++++++++++-- src/core/server/app/router/api/index.ts | 3 +- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/src/core/server/app/middleware/commentEmbedWhitelisted.ts b/src/core/server/app/middleware/commentEmbedWhitelisted.ts index 68c0f5c4fb..0ccb3732e7 100644 --- a/src/core/server/app/middleware/commentEmbedWhitelisted.ts +++ b/src/core/server/app/middleware/commentEmbedWhitelisted.ts @@ -1,8 +1,11 @@ -import { AppOptions } from "coral-server/app"; +import { CorsOptionsDelegate } from "cors"; + +import { MongoContext } from "coral-server/data/context"; import { retrieveComment } from "coral-server/models/comment"; import { retrieveSite } from "coral-server/models/site"; -import { RequestHandler } from "coral-server/types/express"; +import { Request, RequestHandler } from "coral-server/types/express"; +import { AppOptions } from ".."; import { getRequesterOrigin } from "../helpers"; export const commentEmbedWhitelisted = @@ -29,7 +32,10 @@ export const commentEmbedWhitelisted = if (siteID) { const site = await retrieveSite(mongo, tenant.id, siteID); if (site) { - const origin = getRequesterOrigin(req); + let origin: string | null | undefined = getRequesterOrigin(req); + if (!origin) { + origin = req.header("Origin"); + } if (origin) { if (site.allowedOrigins.includes(origin)) { return next(); @@ -40,3 +46,24 @@ export const commentEmbedWhitelisted = } res.sendStatus(401); }; + +/** + * Creates the options for the "cors" middleware which whitelists + * site origins for the single comment embed. + * + * @param mongo the database connection + * @returns CorsOptionsDelegate + */ +export function createCommentEmbedCorsOptionsDelegate( + mongo: MongoContext +): CorsOptionsDelegate { + return async (req: Request, callback) => { + const originHeader = req.header("Origin"); + const tenantID = req.coral.tenant?.id; + if (!originHeader || !tenantID) { + callback(null, { origin: false }); // disable CORS for this request + return; + } + callback(null, { origin: true }); + }; +} diff --git a/src/core/server/app/router/api/index.ts b/src/core/server/app/router/api/index.ts index 24edb15801..34bc5793c8 100644 --- a/src/core/server/app/router/api/index.ts +++ b/src/core/server/app/router/api/index.ts @@ -13,6 +13,7 @@ import { authenticate, commentEmbedWhitelisted, corsWhitelisted, + createCommentEmbedCorsOptionsDelegate, cspSiteMiddleware, JSONErrorHandler, jsonMiddleware, @@ -96,8 +97,8 @@ export function createAPIRouter(app: AppOptions, options: RouterOptions) { router.get("/oembed", cspSiteMiddleware(app), oembedHandler(app)); router.get( "/services/oembed", - cors(), commentEmbedWhitelisted(app), + cors(createCommentEmbedCorsOptionsDelegate(app.mongo)), oembedProviderHandler(app) ); router.get(