Merge pull request #58 from GeneralMagicio/add_cors_allow_list

feat: add cors allow list and allow tunnels for testing on WLD mini app

Author: Meriem-BM

.env.example

@@ -0,0 +1,3 @@
+DATABASE_URL=
+WHITELISTED_ORIGINS=
+TUNNEL_DOMAINS=

.gitignore

@@ -41,6 +41,7 @@ lerna-debug.log*
 .env.test.local
 .env.production.local
 .env.local
+!.env.example
 
 # temp directory
 .temp

src/auth/auth.controller.ts

@@ -6,17 +6,24 @@ import { MiniAppWalletAuthSuccessPayload } from '@worldcoin/minikit-js';
 interface IRequestPayload {
   payload: MiniAppWalletAuthSuccessPayload;
 }
+
+function isHttps(req: Request) {
+  return (
+    req.protocol === 'https' || req.headers['x-forwarded-proto'] === 'https'
+  );
+}
+
 @Controller('auth')
 export class AuthController {
   constructor(private readonly authService: AuthService) {}
 
   @Get('nonce')
-  async generateNonce(@Res() res: Response): Promise<any> {
+  generateNonce(@Req() req: Request, @Res() res: Response) {
     const nonce = this.authService.generateNonce();
     res.cookie('siwe', nonce, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'strict',
+      secure: process.env.NODE_ENV === 'production' || isHttps(req),
+      sameSite: 'none',
       maxAge: 2 * 60 * 1000, //2 minutes
     });
 
@@ -45,6 +52,7 @@ export class AuthController {
       );
       return res.status(200).json({ isValid: validMessage });
     } catch (error: any) {
+      console.log('Error verifying payload:', error);
       return res
         .status(400)
         .json({ status: 'error', isValid: false, message: error.message });

src/main.ts

@@ -6,13 +6,54 @@ import { ValidationPipe } from '@nestjs/common';
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
 
-  app.useGlobalPipes(
-    new ValidationPipe({
-      transform: true,
-    }),
-  );
+  const environment = process.env.NODE_ENV || 'development';
+  const rawOrigins = process.env.WHITELISTED_ORIGINS || '';
+  const rawTunnelDomains = process.env.TUNNEL_DOMAINS || '';
+
+  const whiteListedOrigins = rawOrigins
+    .split(',')
+    .map((origin) => origin.trim().replace(/^https?:\/\//, ''))
+    .filter((origin) => !!origin);
+
+  const tunnelDomains = rawTunnelDomains
+    .split(',')
+    .map((domain) => domain.trim())
+    .filter((domain) => !!domain);
+
+  app.enableCors({
+    origin: (
+      origin: string | undefined,
+      callback: (err: Error | null, allow?: boolean) => void,
+    ) => {
+      if (!origin) return callback(null, true);
+
+      try {
+        const { hostname } = new URL(origin);
+
+        const isWhitelisted = whiteListedOrigins.includes(hostname);
+
+        const isTunnelDomain =
+          environment !== 'production' &&
+          tunnelDomains.some((testDomain) => hostname.endsWith(testDomain));
+
+        if (isWhitelisted || isTunnelDomain) {
+          return callback(null, true);
+        }
+
+        console.error(`[CORS ERROR]: Origin ${origin} is not allowed.`);
+        return callback(new Error(`CORS blocked for origin: ${origin}`));
+      } catch (error) {
+        console.error(`[CORS ERROR]: Malformed origin`, error);
+        return callback(new Error(`Invalid origin: ${origin}`));
+      }
+    },
+    credentials: true,
+  });
+
+  app.useGlobalPipes(new ValidationPipe({ transform: true }));
   app.use(cookieParser());
 
   await app.listen(process.env.PORT ?? 3000);
 }
+
 bootstrap();