From 6c6aecb33bbb06e37a149bcaed58847161e0c523 Mon Sep 17 00:00:00 2001 From: aster <137767097+aster-void@users.noreply.github.com> Date: Fri, 8 Nov 2024 14:15:26 +0900 Subject: [PATCH 1/5] use CORS_ALLOW_ORIGINS instead of SERVER_ORIGIN, WEB_ORIGIN, WEB_ORIGIN_BUILD, and MOBILE_ORIGIN --- server/.env.sample | 6 ++---- server/src/index.ts | 16 +++++++++------- server/src/lib/utils.ts | 14 ++++++++++++++ 3 files changed, 25 insertions(+), 11 deletions(-) create mode 100644 server/src/lib/utils.ts diff --git a/server/.env.sample b/server/.env.sample index bb0e5bca..a7824bfb 100644 --- a/server/.env.sample +++ b/server/.env.sample @@ -3,10 +3,8 @@ # below can be used for docker db created via `make dev-db` DATABASE_URL=postgres://user:password@localhost:5432/database -# Application origins -SERVER_ORIGIN=http://localhost:3000 -WEB_ORIGIN=http://localhost:5173 -MOBILE_ORIGIN=http://localhost:8081 +# CORS allow origins, separated by "," | no space is allowed before/after "," +CORS_ALLOW_ORIGINS=http://localhost:3000,http://localhost:3001 # Firebase FIREBASE_PROJECT_ID=project-id diff --git a/server/src/index.ts b/server/src/index.ts index de19b304..a32aa9e2 100644 --- a/server/src/index.ts +++ b/server/src/index.ts @@ -3,6 +3,7 @@ import express from "express"; import csrf from "./lib/cross-origin/block-unknown-origin"; import cors from "./lib/cross-origin/multi-origin-cors"; import { initializeSocket } from "./lib/socket/socket"; +import { allUrlMustBeValid, panic } from "./lib/utils"; import chatRoutes from "./router/chat"; import coursesRoutes from "./router/courses"; import matchesRoutes from "./router/matches"; @@ -17,14 +18,15 @@ const app = express(); app.set("query parser", "simple"); const port = 3000; -const allowedOrigins = [ - process.env.SERVER_ORIGIN ?? "http://localhost:3000", // delete this fallback when you think everyone has updated their .env - process.env.WEB_ORIGIN, - process.env.MOBILE_ORIGIN, - process.env.WEB_ORIGIN_BUILD, -]; +const allowedOrigins = ( + process.env.CORS_ALLOW_ORIGINS || panic("env CORS_ALLOW_ORIGINS is missing") +) + .split(",") + .filter((s) => s); // ignore empty string (trailing comma?) +allUrlMustBeValid(allowedOrigins); + export const corsOptions = { - origins: allowedOrigins.filter((s) => s != null).filter((s) => s), // ignore empty string too + origins: allowedOrigins, methods: ["GET", "HEAD", "POST", "PUT", "DELETE"], credentials: true, }; diff --git a/server/src/lib/utils.ts b/server/src/lib/utils.ts new file mode 100644 index 00000000..8eddd99d --- /dev/null +++ b/server/src/lib/utils.ts @@ -0,0 +1,14 @@ +export function panic(reason: string): never { + throw new Error(`function panic() called for reason: "${reason}"`); +} + +export function allUrlMustBeValid(urls: string[]) { + for (const url of urls) { + try { + new URL(url); + } catch (err) { + console.error(err); + throw err; + } + } +} From b2cd5b79793122cfdf2d8a12a8a4f45d17d8adb6 Mon Sep 17 00:00:00 2001 From: aster <137767097+aster-void@users.noreply.github.com> Date: Fri, 8 Nov 2024 14:30:31 +0900 Subject: [PATCH 2/5] set CORS_ALLOW_ORIGINS on test because it can't load .env --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index bee23e3a..5f5d5021 100644 --- a/Makefile +++ b/Makefile @@ -36,6 +36,7 @@ test: export DATABASE_URL=$(LOCAL_DB) test: export NEVER_LOAD_DOTENV=1 test: export UNSAFE_SKIP_AUTH=1 test: export FIREBASE_PROJECT_ID=mock-proj +test: export CORS_ALLOW_ORIGINS="http://localhost:3000" test: dev-db cd server/src; ENV_FILE=../.env.dev bun test cd ./test; ENV_FILE=../server/.env.dev bun test From 0cb728da0f7bbc1af36f9f4286ca41958f982b88 Mon Sep 17 00:00:00 2001 From: aster <137767097+aster-void@users.noreply.github.com> Date: Fri, 8 Nov 2024 14:31:30 +0900 Subject: [PATCH 3/5] use multiple CORS_ALLOW_ORIGINS in test --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5f5d5021..a39d9681 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ test: export DATABASE_URL=$(LOCAL_DB) test: export NEVER_LOAD_DOTENV=1 test: export UNSAFE_SKIP_AUTH=1 test: export FIREBASE_PROJECT_ID=mock-proj -test: export CORS_ALLOW_ORIGINS="http://localhost:3000" +test: export CORS_ALLOW_ORIGINS="http://localhost:3000,https://localhost:3001" test: dev-db cd server/src; ENV_FILE=../.env.dev bun test cd ./test; ENV_FILE=../server/.env.dev bun test From 60fc9f0bfac20e47c17b70188126615c149bb830 Mon Sep 17 00:00:00 2001 From: Yuki Kobayashi <137767097+aster-void@users.noreply.github.com> Date: Fri, 8 Nov 2024 19:01:07 +0900 Subject: [PATCH 4/5] delete "s from around CORS_ALLOW_ORIGINS in Makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a39d9681..0f9f21aa 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ test: export DATABASE_URL=$(LOCAL_DB) test: export NEVER_LOAD_DOTENV=1 test: export UNSAFE_SKIP_AUTH=1 test: export FIREBASE_PROJECT_ID=mock-proj -test: export CORS_ALLOW_ORIGINS="http://localhost:3000,https://localhost:3001" +test: export CORS_ALLOW_ORIGINS=http://localhost:3000,https://localhost:3001 test: dev-db cd server/src; ENV_FILE=../.env.dev bun test cd ./test; ENV_FILE=../server/.env.dev bun test From ab1f13a324642d5559f5405e189fae57b8ecb69a Mon Sep 17 00:00:00 2001 From: aster <137767097+aster-void@users.noreply.github.com> Date: Sun, 10 Nov 2024 11:23:18 +0900 Subject: [PATCH 5/5] 3001 -> 5173 --- Makefile | 2 +- server/.env.sample | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 0f9f21aa..3892e689 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ test: export DATABASE_URL=$(LOCAL_DB) test: export NEVER_LOAD_DOTENV=1 test: export UNSAFE_SKIP_AUTH=1 test: export FIREBASE_PROJECT_ID=mock-proj -test: export CORS_ALLOW_ORIGINS=http://localhost:3000,https://localhost:3001 +test: export CORS_ALLOW_ORIGINS=http://localhost:3000,https://localhost:5173 test: dev-db cd server/src; ENV_FILE=../.env.dev bun test cd ./test; ENV_FILE=../server/.env.dev bun test diff --git a/server/.env.sample b/server/.env.sample index a7824bfb..55763721 100644 --- a/server/.env.sample +++ b/server/.env.sample @@ -4,7 +4,7 @@ DATABASE_URL=postgres://user:password@localhost:5432/database # CORS allow origins, separated by "," | no space is allowed before/after "," -CORS_ALLOW_ORIGINS=http://localhost:3000,http://localhost:3001 +CORS_ALLOW_ORIGINS=http://localhost:3000,http://localhost:5173 # Firebase FIREBASE_PROJECT_ID=project-id