Send JSON errors for API 403s, and test Origin check explicitly

Author: pimterry

custom-typings/cors-gate.d.ts

@@ -5,6 +5,7 @@ declare module 'cors-gate' {
         origin: string;
         strict?: boolean;
         allowSafe?: boolean;
+        failure: (req: express.Request, res: express.Response, next: express.NextFunction) => void;
     }
 
     function corsGate(options: Options): express.RequestHandler;

src/api/api-server.ts

@@ -64,15 +64,24 @@ export class HttpToolkitServerApi extends events.EventEmitter {
 
         this.server.use(corsGate({
             strict: true, // MUST send an allowed origin
-            allowSafe: false, // Even for HEAD/GET requests (should be none anyway)
-            origin: '' // No origin - we accept *no* same-origin requests
+            allowSafe: false, // Even for HEAD/GET requests
+            origin: '', // No origin - we accept *no* same-origin requests
+
+            // Extend default failure response to add a helpful error body.
+            failure: (_req, res, _next) => {
+                res.statusCode = 403;
+                res.send({ error: { message: 'Invalid CORS headers' }});
+            }
         }));
 
         this.server.use((req, res, next) => {
             if (req.path === '/' && req.method !== 'POST') {
                 // We allow only POST to GQL, because that's all we expect for GraphQL queries,
                 // and this helps derisk some (admittedly unlikely) XSRF possibilities.
-                res.status(405).send('Only POST requests are supported');
+
+                res.status(405).send({
+                    error: { message: 'Only POST requests are supported' }
+                });
 
                 // XSRF is less of a risk elsewhere, as REST GET endpoints don't do dangerous
                 // things. Also we're enforcing Origin headers everywhere so it should be
@@ -92,7 +101,9 @@ export class HttpToolkitServerApi extends events.EventEmitter {
                 const token = tokenMatch[1];
 
                 if (token !== config.authToken) {
-                    res.status(403).send('Valid token required');
+                    res.status(403).send({
+                        error: { message: 'Valid token required' }
+                    });
                 } else {
                     next();
                 }

test/integration-test.spec.ts

@@ -42,10 +42,13 @@ async function setupServerPath() {
     return path.join(tmpDir, 'httptoolkit-server', 'bin', 'run');
 }
 
-const buildGraphql = (url: string) => getGraphQL(url, {
-    asJSON: true,
+const buildGraphql = (
+    url: string,
     // Pretend to be a browser on the real site:
-    headers: { 'origin': 'https://app.httptoolkit.tech' }
+    headers = { 'origin': 'https://app.httptoolkit.tech' }
+) => getGraphQL(url, {
+    asJSON: true,
+    headers
 });
 
 describe('Integration test', function () {
@@ -152,6 +155,38 @@ describe('Integration test', function () {
         });
     });
 
+    it('rejects all requests with invalid origins', async () => {
+        const graphql = buildGraphql('http://localhost:45457/', {
+            origin: 'https://unknown.test'
+        });
+
+        const restWrongOriginResponse = await fetch('http://localhost:45457/version', {
+            headers: { 'origin': 'https://unknown.test' }
+        });
+
+        const restNoOriginResponse = await fetch('http://localhost:45457/version', {
+            headers: {}
+        });
+
+        expect(restWrongOriginResponse.status).to.equal(403);
+        expect(restNoOriginResponse.status).to.equal(403);
+
+        try {
+            await graphql(`
+                query getVersion {
+                    version
+                }
+            `)();
+            expect.fail('GraphQL request with invalid origin should fail');
+        } catch (errorResponse: any) {
+            // GraphQL.js handles errors weirdly, and just throws the response body. Oh well,
+            // it's good enough to test this anyway:
+            expect(errorResponse).to.deep.equal({
+                error: { message: 'Invalid CORS headers' }
+            });
+        }
+    });
+
     it('exposes the system configuration via REST', async () => {
         const response = await fetch('http://localhost:45457/config?proxyPort=8000', {
             headers: { 'origin': 'https://app.httptoolkit.tech' }