From aa4a43a1a5af3e5759a5e667eea44ff10fdd3700 Mon Sep 17 00:00:00 2001
From: jessop <jessopb@gmail.com>
Date: Sun, 29 Sep 2019 14:54:17 -0400
Subject: [PATCH] cors

---
 package-lock.json |  9 +++++++++
 package.json      |  1 +
 server/index.js   | 20 +++++++++++++++++++-
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index c25cc17d..0d8c6e30 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3611,6 +3611,15 @@
       "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
       "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac="
     },
+    "cors": {
+      "version": "2.8.5",
+      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz",
+      "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==",
+      "requires": {
+        "object-assign": "^4",
+        "vary": "^1"
+      }
+    },
     "cosmiconfig": {
       "version": "5.0.7",
       "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-5.0.7.tgz",
diff --git a/package.json b/package.json
index 9b224229..8ad68ed5 100644
--- a/package.json
+++ b/package.json
@@ -41,6 +41,7 @@
     "body-parser": "^1.18.3",
     "connect-multiparty": "^2.2.0",
     "cookie-session": "^2.0.0-beta.3",
+    "cors": "^2.8.5",
     "express": "^4.16.4",
     "express-handlebars": "^3.0.0",
     "express-http-context": "^1.2.0",
diff --git a/server/index.js b/server/index.js
index 87455cea..64225f47 100644
--- a/server/index.js
+++ b/server/index.js
@@ -3,6 +3,7 @@ const express = require('express');
 const bodyParser = require('body-parser');
 const expressHandlebars = require('express-handlebars');
 const helmet = require('helmet');
+const cors = require('cors');
 const cookieSession = require('cookie-session');
 const http = require('http');
 const logger = require('winston');
@@ -82,7 +83,24 @@ function Server() {
 
     // set HTTP headers to protect against well-known web vulnerabilties
     app.use(helmet());
-
+    // open cors for lbry.tv lbry.tech localhost lbry.com
+    var whitelist = [
+      'https://lbry.com',
+      'https://lbry.tech',
+      'https://lbry.tv',
+      'http://localhost',
+      'http://localhost:1337',
+    ];
+    var corsOptions = {
+      origin: function(origin, callback) {
+        if (whitelist.indexOf(origin) !== -1) {
+          callback(null, true);
+        } else {
+          callback(new Error('Not allowed by CORS'));
+        }
+      },
+    };
+    app.use(cors(corsOptions));
     // Support per-request http-context
     app.use(httpContext.middleware);