Enable Classic DTI to access impress-2020 via CORS

owo, uwu,
This commit is contained in:
Emi Matchu 2023-08-20 15:40:21 -07:00
parent 17be011ff8
commit 85d68f68e1
3 changed files with 31 additions and 7 deletions

View file

@ -10,6 +10,7 @@ const beeline = require("honeycomb-beeline")({
const { ApolloServer } = require("../../src/server/lib/apollo-server-vercel"); const { ApolloServer } = require("../../src/server/lib/apollo-server-vercel");
const { config } = require("../../src/server"); const { config } = require("../../src/server");
const { applyCORSHeaders } = require("../../src/server/cors");
const crypto = require("crypto"); const crypto = require("crypto");
const server = new ApolloServer(config); const server = new ApolloServer(config);
@ -48,13 +49,13 @@ function deterministicSampler(traceId, sampleRate) {
} }
async function handle(req, res) { async function handle(req, res) {
// CAREFUL! We here allow any website to use our GraphQL API, so our data can // Apply CORS headers, to allow Classic DTI to request this.
// be more useful to the public. Using the * wildcard means that, in modern // If this is an OPTIONS request asking for CORS info, return an empty
// browsers, requests should be sent without credentials. Additionally, we // response with just the CORS headers applied.
// don't store credentials in cookies; the client is responsible for setting applyCORSHeaders(req, res);
// an Authorization header. So, I don't think there's any CSRF danger here. if (req.method === "OPTIONS") {
// But, let's be careful and make sure this continues to be true! return res.status(204).end();
res.setHeader("Access-Control-Allow-Origin", "*"); }
await serverHandler(req, res); await serverHandler(req, res);

View file

@ -6,6 +6,7 @@ const beeline = require("honeycomb-beeline")({
: "Dress to Impress (2020, dev)", : "Dress to Impress (2020, dev)",
serviceName: "impress-2020-gql-server", serviceName: "impress-2020-gql-server",
}); });
import { applyCORSHeaders } from "../../src/server/cors";
import connectToDb from "../../src/server/db"; import connectToDb from "../../src/server/db";
import { getPoseFromPetState, normalizeRow } from "../../src/server/util"; import { getPoseFromPetState, normalizeRow } from "../../src/server/util";
@ -103,6 +104,14 @@ async function getDistinctPetStates(db) {
} }
async function handle(req, res) { async function handle(req, res) {
// Apply CORS headers, to allow Classic DTI to request this.
// If this is an OPTIONS request asking for CORS info, return an empty
// response with just the CORS headers applied.
applyCORSHeaders(req, res);
if (req.method === "OPTIONS") {
return res.status(204).end();
}
const buffer = await getValidPetPoses(); const buffer = await getValidPetPoses();
// Cache for 1 hour, and allow the CDN cache to serve copies up to an // Cache for 1 hour, and allow the CDN cache to serve copies up to an

14
src/server/cors.js Normal file
View file

@ -0,0 +1,14 @@
const ALLOWED_CORS_ORIGINS = [
"https://beta.impress.openneo.net",
"https://impress.openneo.net",
"http://localhost:3000",
];
export function applyCORSHeaders(req, res) {
const origin = req.headers["origin"];
if (ALLOWED_CORS_ORIGINS.includes(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
res.setHeader("Access-Control-Allow-Methods", "*");
res.setHeader("Access-Control-Allow-Headers", "*");
}
}