diff --git a/README.md b/README.md index ebac244..48754f3 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,15 @@ if (module.hot) { } ``` -Configure the allowed_cors_destinations in config.settings or provide a system -environment variable named ALLOWED_CORS_DESTINATIONS, which is a list of comma -separated hostnames. +In the ``config.js`` file, add a new key to the ``settings`` variable, named +``allowed_cors_destinations``. This is an array of strings, each string being +a hostname that will be allowed as proxy destination. For example, to allow +embedding files from the eea.europa.eu domain, set the settings like: + +``` +settings.allowed_cors_destinations = ['eea.europa.eu'] + +``` + +Another option is to provide a system environment variable named +ALLOWED_CORS_DESTINATIONS, which is a list of comma separated hostnames. diff --git a/src/server.jsx b/src/server.jsx index d336a36..06de0ba 100644 --- a/src/server.jsx +++ b/src/server.jsx @@ -59,59 +59,63 @@ const allowed_cors_destinations = [ ...env_destinations, ]; -server - .disable('x-powered-by') - .use(express.static(process.env.RAZZLE_PUBLIC_DIR)) +function handleAll(req, res, next) { + const match = req.path.match(/\/cors-proxy\/(.*)/); + if (match && match.length === 2) { + // console.log('CORS method on path', req.path); - .all('/*', function(req, res, next) { - const match = req.path.match(/\/cors-proxy\/(.*)/); - if (match && match.length === 2) { - const targetURL = match[1]; - const parsed = url.parse(targetURL); + const targetURL = match[1]; + const parsed = url.parse(targetURL); - // TODO: use regex matching - if (allowed_cors_destinations.indexOf(parsed.host) === -1) { - res.set({ - 'Cache-Control': 'public, max-age=60, no-transform', - }); + if (allowed_cors_destinations.indexOf(parsed.host) === -1) { + res.set({ + 'Cache-Control': 'public, max-age=60, no-transform', + }); + + console.error(`Not proxying: ${targetURL}`); + res.status(409).send(` + Error, CORS proxy destination not allowed + `); + return; + } - res - .status(500) - .send(`Error, not allowed`); - return; - } - - // Set CORS headers: allow all origins, methods, and headers: - // you may want to lock this down in a production environment - res.header( - 'Access-Control-Allow-Origin', - settings.allow_cors_origin || '*', - ); - res.header('Access-Control-Allow-Methods', 'GET'); - // res.header('Access-Control-Allow-Headers', ''); - - if (req.method === 'OPTIONS') { - res.send(); // CORS Preflight - } else { - request( - { - url: targetURL, - method: req.method, - json: req.body, - headers: { Authorization: req.header('Authorization') }, - }, - function(error, response, body) { - if (error) { - console.error('error: ' + response.statusCode); - } - // console.log(body); - }, - ).pipe(res); - } + // Set CORS headers: allow all origins, methods, and headers: + // you may want to lock this down in a production environment + res.header( + 'Access-Control-Allow-Origin', + settings.allow_cors_origin || '*', + ); + res.header('Access-Control-Allow-Methods', 'GET'); + // res.header('Access-Control-Allow-Headers', ''); + + if (req.method === 'OPTIONS') { + res.send(); // CORS Preflight } else { - next(); + request( + { + url: targetURL, + method: req.method, + json: req.body, + headers: { Authorization: req.header('Authorization') }, + }, + function(error, response, body) { + if (error) { + console.error('error: ' + response.statusCode); + } + // console.log(body); + }, + ).pipe(res); } - }) + } else { + next(); + } +} + +server + .disable('x-powered-by') + .use(express.static(process.env.RAZZLE_PUBLIC_DIR)) + + .all('/*', handleAll) .get('/*', (req, res) => { plugToRequest(req, res);