Merge pull request #1041 from lbryio/cors2

applies open cors to publish routes

cli/defaults/siteConfig.json

@@ -18,8 +18,7 @@
     "host": "https://www.example.com",
     "description": "A decentralized hosting platform built on LBRY",
     "twitter": false,
-    "blockListEndpoint": "https://api.lbry.com/file/list_blocked",
+    "blockListEndpoint": "https://api.lbry.com/file/list_blocked"
-    "corsWhitelist": []
   },
   "publishing": {
     "primaryClaimAddress": null,

server/index.js

@@ -3,7 +3,6 @@ const express = require('express');
 const bodyParser = require('body-parser');
 const expressHandlebars = require('express-handlebars');
 const helmet = require('helmet');
-const cors = require('cors');
 const cookieSession = require('cookie-session');
 const http = require('http');
 const logger = require('winston');
@@ -24,7 +23,7 @@ const processTrending = require('./utils/processTrending');
 const { setRouteDataInContextMiddleware } = require('./middleware/httpContextMiddleware');
 
 const {
-  details: { port: PORT, blockListEndpoint, corsWhitelist, host },
+  details: { port: PORT, blockListEndpoint },
   startup: { performChecks, performUpdates },
 } = require('@config/siteConfig');
 
@@ -83,37 +82,7 @@ function Server() {
 
     // set HTTP headers to protect against well-known web vulnerabilties
     app.use(helmet());
-    // open cors for site/config:host (current instance)
-    var originWhitelist = [
-      host
-    ];
-    // whitelist is found in site/config:details:
-    // enter corsWhitelist: ["*"] to allow all
-    // enter your domains otherwise:["https://example.com", ...]
-    if ( corsWhitelist && corsWhitelist.length ) {
-      originWhitelist = originWhitelist.concat(corsWhitelist);
-    }
 
-    var corsOptions = originWhitelist && originWhitelist.includes('*')
-    ? {
-      "origin": "*",
-      "methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
-      "preflightContinue": false,
-      "optionsSuccessStatus": 204
-    }
-    : {
-      origin: function(origin, callback) {
-        if ((origin === undefined) || originWhitelist.indexOf(origin) !== -1) {
-          callback(null, true);
-        } else {
-          let error = new Error(`CORS has blocked this website from access. Contact an administrator from ${host} if you feel this is in error.`);
-          error.code = "ECORS"
-          callback(error);
-        }
-      },
-    };
-
-    app.use(cors(corsOptions));
     // Support per-request http-context
     app.use(httpContext.middleware);
 
@@ -179,16 +148,6 @@ function Server() {
       );
     });
 
-    app.use( (error, req, res, next) => {
-      if (error.code === 'ECORS'){
-        res.status(403);
-        res.send({message: error})
-      } else {
-        res.status(520);
-        res.send({ message: error });
-      }
-    })
-
     this.app = app;
   };
   this.createServer = () => {

server/routes/api/index.js

@@ -25,6 +25,7 @@ const publishingConfig = require('../../controllers/api/config/site/publishing')
 const getTorList = require('../../controllers/api/tor');
 const getBlockedList = require('../../controllers/api/blocked');
 const getOEmbedData = require('../../controllers/api/oEmbed');
+const cors = require('cors');
 
 export default {
   // homepage routes
@@ -43,10 +44,10 @@ export default {
   '/api/claim/data/:claimName/:claimId'  : { controller: [ torCheckMiddleware, claimData ] },
   '/api/claim/get/:name/:claimId'        : { controller: [ torCheckMiddleware, claimGet ] },
   '/api/claim/list/:name'                : { controller: [ torCheckMiddleware, claimList ] },
-  '/api/claim/long-id'                   : { method: 'post', controller: [ torCheckMiddleware, claimLongId ] }, // note: should be a 'get'
+  '/api/claim/long-id'                   : { method: 'post', controller: [ cors(), torCheckMiddleware, claimLongId ] }, // note: should be a 'get'
-  '/api/claim/publish'                   : { method: 'post', controller: [ torCheckMiddleware, autoblockPublishMiddleware, multipartMiddleware, autoblockPublishBodyMiddleware, claimPublish ] },
+  '/api/claim/publish'                   : { method: 'post', controller: [ cors(), torCheckMiddleware, autoblockPublishMiddleware, multipartMiddleware, autoblockPublishBodyMiddleware, claimPublish ] },
-  '/api/claim/update'                    : { method: 'post', controller: [ torCheckMiddleware, multipartMiddleware, claimUpdate ] },
+  '/api/claim/update'                    : { method: 'post', controller: [ cors(), torCheckMiddleware, multipartMiddleware, claimUpdate ] },
-  '/api/claim/abandon'                   : { method: 'post', controller: [ torCheckMiddleware, multipartMiddleware, claimAbandon ] },
+  '/api/claim/abandon'                   : { method: 'post', controller: [ cors(), torCheckMiddleware, multipartMiddleware, claimAbandon ] },
   '/api/claim/resolve/:name/:claimId'    : { controller: [ torCheckMiddleware, claimResolve ] },
   '/api/claim/short-id/:longId/:name'    : { controller: [ torCheckMiddleware, claimShortId ] },
   '/api/claim/views/:claimId'            : { controller: [ torCheckMiddleware, claimViews ] },
@@ -55,7 +56,7 @@ export default {
   // user routes
   '/api/user/password/'                  : { method: 'put', controller: [ torCheckMiddleware, userPassword ] },
   // configs
-  '/api/config/site/publishing'          : { controller: [ torCheckMiddleware, publishingConfig ] },
+  '/api/config/site/publishing'          : { controller: [ cors(), torCheckMiddleware, publishingConfig ] },
   // tor
   '/api/tor'                             : { controller: [ torCheckMiddleware, getTorList ] },
   // blocked