Merge pull request #1041 from lbryio/cors2

applies open cors to publish routes
This commit is contained in:
jessopb 2019-10-08 09:45:53 -04:00 committed by GitHub
commit 648639e6c6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 49 deletions

View file

@ -18,8 +18,7 @@
"host": "https://www.example.com", "host": "https://www.example.com",
"description": "A decentralized hosting platform built on LBRY", "description": "A decentralized hosting platform built on LBRY",
"twitter": false, "twitter": false,
"blockListEndpoint": "https://api.lbry.com/file/list_blocked", "blockListEndpoint": "https://api.lbry.com/file/list_blocked"
"corsWhitelist": []
}, },
"publishing": { "publishing": {
"primaryClaimAddress": null, "primaryClaimAddress": null,

View file

@ -3,7 +3,6 @@ const express = require('express');
const bodyParser = require('body-parser'); const bodyParser = require('body-parser');
const expressHandlebars = require('express-handlebars'); const expressHandlebars = require('express-handlebars');
const helmet = require('helmet'); const helmet = require('helmet');
const cors = require('cors');
const cookieSession = require('cookie-session'); const cookieSession = require('cookie-session');
const http = require('http'); const http = require('http');
const logger = require('winston'); const logger = require('winston');
@ -24,7 +23,7 @@ const processTrending = require('./utils/processTrending');
const { setRouteDataInContextMiddleware } = require('./middleware/httpContextMiddleware'); const { setRouteDataInContextMiddleware } = require('./middleware/httpContextMiddleware');
const { const {
details: { port: PORT, blockListEndpoint, corsWhitelist, host }, details: { port: PORT, blockListEndpoint },
startup: { performChecks, performUpdates }, startup: { performChecks, performUpdates },
} = require('@config/siteConfig'); } = require('@config/siteConfig');
@ -83,37 +82,7 @@ function Server() {
// set HTTP headers to protect against well-known web vulnerabilties // set HTTP headers to protect against well-known web vulnerabilties
app.use(helmet()); app.use(helmet());
// open cors for site/config:host (current instance)
var originWhitelist = [
host
];
// whitelist is found in site/config:details:
// enter corsWhitelist: ["*"] to allow all
// enter your domains otherwise:["https://example.com", ...]
if ( corsWhitelist && corsWhitelist.length ) {
originWhitelist = originWhitelist.concat(corsWhitelist);
}
var corsOptions = originWhitelist && originWhitelist.includes('*')
? {
"origin": "*",
"methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"preflightContinue": false,
"optionsSuccessStatus": 204
}
: {
origin: function(origin, callback) {
if ((origin === undefined) || originWhitelist.indexOf(origin) !== -1) {
callback(null, true);
} else {
let error = new Error(`CORS has blocked this website from access. Contact an administrator from ${host} if you feel this is in error.`);
error.code = "ECORS"
callback(error);
}
},
};
app.use(cors(corsOptions));
// Support per-request http-context // Support per-request http-context
app.use(httpContext.middleware); app.use(httpContext.middleware);
@ -179,16 +148,6 @@ function Server() {
); );
}); });
app.use( (error, req, res, next) => {
if (error.code === 'ECORS'){
res.status(403);
res.send({message: error})
} else {
res.status(520);
res.send({ message: error });
}
})
this.app = app; this.app = app;
}; };
this.createServer = () => { this.createServer = () => {

View file

@ -25,6 +25,7 @@ const publishingConfig = require('../../controllers/api/config/site/publishing')
const getTorList = require('../../controllers/api/tor'); const getTorList = require('../../controllers/api/tor');
const getBlockedList = require('../../controllers/api/blocked'); const getBlockedList = require('../../controllers/api/blocked');
const getOEmbedData = require('../../controllers/api/oEmbed'); const getOEmbedData = require('../../controllers/api/oEmbed');
const cors = require('cors');
export default { export default {
// homepage routes // homepage routes
@ -43,10 +44,10 @@ export default {
'/api/claim/data/:claimName/:claimId' : { controller: [ torCheckMiddleware, claimData ] }, '/api/claim/data/:claimName/:claimId' : { controller: [ torCheckMiddleware, claimData ] },
'/api/claim/get/:name/:claimId' : { controller: [ torCheckMiddleware, claimGet ] }, '/api/claim/get/:name/:claimId' : { controller: [ torCheckMiddleware, claimGet ] },
'/api/claim/list/:name' : { controller: [ torCheckMiddleware, claimList ] }, '/api/claim/list/:name' : { controller: [ torCheckMiddleware, claimList ] },
'/api/claim/long-id' : { method: 'post', controller: [ torCheckMiddleware, claimLongId ] }, // note: should be a 'get' '/api/claim/long-id' : { method: 'post', controller: [ cors(), torCheckMiddleware, claimLongId ] }, // note: should be a 'get'
'/api/claim/publish' : { method: 'post', controller: [ torCheckMiddleware, autoblockPublishMiddleware, multipartMiddleware, autoblockPublishBodyMiddleware, claimPublish ] }, '/api/claim/publish' : { method: 'post', controller: [ cors(), torCheckMiddleware, autoblockPublishMiddleware, multipartMiddleware, autoblockPublishBodyMiddleware, claimPublish ] },
'/api/claim/update' : { method: 'post', controller: [ torCheckMiddleware, multipartMiddleware, claimUpdate ] }, '/api/claim/update' : { method: 'post', controller: [ cors(), torCheckMiddleware, multipartMiddleware, claimUpdate ] },
'/api/claim/abandon' : { method: 'post', controller: [ torCheckMiddleware, multipartMiddleware, claimAbandon ] }, '/api/claim/abandon' : { method: 'post', controller: [ cors(), torCheckMiddleware, multipartMiddleware, claimAbandon ] },
'/api/claim/resolve/:name/:claimId' : { controller: [ torCheckMiddleware, claimResolve ] }, '/api/claim/resolve/:name/:claimId' : { controller: [ torCheckMiddleware, claimResolve ] },
'/api/claim/short-id/:longId/:name' : { controller: [ torCheckMiddleware, claimShortId ] }, '/api/claim/short-id/:longId/:name' : { controller: [ torCheckMiddleware, claimShortId ] },
'/api/claim/views/:claimId' : { controller: [ torCheckMiddleware, claimViews ] }, '/api/claim/views/:claimId' : { controller: [ torCheckMiddleware, claimViews ] },
@ -55,7 +56,7 @@ export default {
// user routes // user routes
'/api/user/password/' : { method: 'put', controller: [ torCheckMiddleware, userPassword ] }, '/api/user/password/' : { method: 'put', controller: [ torCheckMiddleware, userPassword ] },
// configs // configs
'/api/config/site/publishing' : { controller: [ torCheckMiddleware, publishingConfig ] }, '/api/config/site/publishing' : { controller: [ cors(), torCheckMiddleware, publishingConfig ] },
// tor // tor
'/api/tor' : { controller: [ torCheckMiddleware, getTorList ] }, '/api/tor' : { controller: [ torCheckMiddleware, getTorList ] },
// blocked // blocked