Block HTK server CSRF requests by Origin header

Author: pimterry

package-lock.json

@@ -48,6 +48,7 @@
     "@types/aws-lambda": "^8.10.15",
     "@types/chai": "^4.1.6",
     "@types/env-paths": "^1.0.2",
+    "@types/express": "^4.16.1",
     "@types/lodash": "^4.14.117",
     "@types/mocha": "^5.2.5",
     "@types/node": "^10.12.0",

package.json

@@ -1,6 +1,7 @@
 import * as _ from 'lodash';
 import * as events from 'events';
-import { GraphQLServer } from 'graphql-yoga'
+import { GraphQLServer } from 'graphql-yoga';
+import * as Express from 'express';
 import { GraphQLScalarType } from 'graphql';
 
 import { HtkConfig } from './config';
@@ -152,6 +153,22 @@ export class HttpToolkitServer extends events.EventEmitter {
             typeDefs,
             resolvers: buildResolvers(config, interceptors, this)
         });
+
+        // TODO: This logic also exists in Mockttp - probably good to commonize it somewhere.
+        this.graphql.use((req: Express.Request, res: Express.Response, next: () => void) => {
+            const origin = req.headers['origin'];
+            // This will have been set (or intentionally not set), by the CORS middleware
+            const allowedOrigin = res.getHeader('Access-Control-Allow-Origin');
+
+            // If origin is set (null or an origin) but was not accepted by the CORS options
+            // Note that if no options.cors is provided, allowedOrigin is always *.
+            if (origin !== undefined && allowedOrigin !== '*' && allowedOrigin !== origin) {
+                // Don't process the request: error out & skip the lot (to avoid CSRF)
+                res.status(403).send('CORS request sent by unacceptable origin');
+            } else {
+                next();
+            }
+        });
     }
 
     async start() {