configure CORS in websocket

Author: aster-void

server/src/index.ts

@@ -31,6 +31,12 @@ export const corsOptions = {
   credentials: true,
 };
 
+if (corsOptions.origins.length > 1 && process.env.NODE_ENV === "production") {
+  console.warn(
+    "WARNING: socket.io only supports one cors origin, therefore only first origin will be registered.",
+  );
+}
+
 app.use(cors(corsOptions));
 app.use(csrf(corsOptions));
 

server/src/lib/cross-origin/share.ts

@@ -1,4 +1,4 @@
-type Config = {
+export type Config = {
   origins: string[]; // allowed origins
   methods?: string[]; // Access-Control-Allow-Methods
   credentials?: boolean; // Access-Control-Allow-Credentials
@@ -47,4 +47,4 @@ function assertValidConfig(config: Config) {
   }
 }
 
-export { validateConfig, type Config };
+export { validateConfig };

server/src/lib/socket/socket.ts

@@ -3,12 +3,17 @@ import type { Message, UserID } from "common/types";
 import type { CorsOptions } from "cors";
 import { type Socket, Server as SocketIOServer } from "socket.io";
 import { getUserIdFromToken } from "../../firebase/auth/db";
+import type { Config as CorsConfig } from "../cross-origin/share";
 
 const users = new Map<UserID, Socket>();
 
-export function initializeSocket(server: Server, corsOptions: CorsOptions) {
+export function initializeSocket(server: Server, corsOptions: CorsConfig) {
+  const cors: CorsOptions = {
+    origin: corsOptions.origins[0],
+    ...corsOptions,
+  };
   const io = new SocketIOServer(server, {
-    cors: corsOptions,
+    cors,
     connectionStateRecovery: {},
   });