feat: Allow multiple origins for header Access-Control-Allow-Origin (parse-community#8517)

MarcDerhammer · web-flow · commit 4f15539ac244 · 2023-05-01T22:25:22.000+02:00
diff --git a/resources/buildConfigDefinitions.js b/resources/buildConfigDefinitions.js
@@ -161,6 +161,9 @@ function mapperFor(elt, t) {
     if (type == 'NumberOrBoolean') {
       return wrap(t.identifier('numberOrBooleanParser'));
     }
+    if (type === 'StringOrStringArray') {
+      return wrap(t.identifier('arrayParser'));
+    }
     return wrap(t.identifier('objectParser'));
   }
 }
@@ -278,6 +281,9 @@ function inject(t, list) {
         const adapterType = elt.typeAnnotation.typeParameters.params[0].id.name;
         type = `Adapter<${adapterType}>`;
       }
+      if (type === 'StringOrStringArray') {
+        type = 'String|String[]';
+      }
       comments += ` * @property {${type}} ${elt.name} ${elt.help}\n`;
       const obj = t.objectExpression(props);
       return t.objectProperty(t.stringLiteral(elt.name), obj);
diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js
@@ -287,6 +287,35 @@ describe('middlewares', () => {
     expect(headers['Access-Control-Allow-Origin']).toEqual('https://parseplatform.org/');
   });
 
+  it('should support multiple origins if several are defined in allowOrigin as an array', () => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      allowOrigin: ['https://a.com', 'https://b.com', 'https://c.com'],
+    });
+    const headers = {};
+    const res = {
+      header: (key, value) => {
+        headers[key] = value;
+      },
+    };
+    const allowCrossDomain = middlewares.allowCrossDomain(fakeReq.body._ApplicationId);
+    // Test with the first domain
+    fakeReq.headers.origin = 'https://a.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com');
+    // Test with the second domain
+    fakeReq.headers.origin = 'https://b.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://b.com');
+    // Test with the third domain
+    fakeReq.headers.origin = 'https://c.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://c.com');
+    // Test with an unauthorized domain
+    fakeReq.headers.origin = 'https://unauthorized.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com');
+  });
+
   it('should use user provided on field userFromJWT', done => {
     AppCache.put(fakeReq.body._ApplicationId, {
       masterKey: 'masterKey',
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -81,7 +81,9 @@ module.exports.ParseServerOptions = {
   },
   allowOrigin: {
     env: 'PARSE_SERVER_ALLOW_ORIGIN',
-    help: 'Sets the origin to Access-Control-Allow-Origin',
+    help:
+      'Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins.',
+    action: parsers.arrayParser,
   },
   analyticsAdapter: {
     env: 'PARSE_SERVER_ANALYTICS_ADAPTER',
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -35,6 +35,7 @@ type Adapter<T> = string | any | T;
 type NumberOrBoolean = number | boolean;
 type NumberOrString = number | string;
 type ProtectedFields = any;
+type StringOrStringArray = string | string[];
 type RequestKeywordDenylist = {
   key: string | any,
   value: any,
@@ -61,8 +62,8 @@ export interface ParseServerOptions {
   appName: ?string;
   /* Add headers to Access-Control-Allow-Headers */
   allowHeaders: ?(string[]);
-  /* Sets the origin to Access-Control-Allow-Origin */
-  allowOrigin: ?string;
+  /* Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins. */
+  allowOrigin: ?StringOrStringArray;
   /* Adapter module for the analytics */
   analyticsAdapter: ?Adapter<AnalyticsAdapter>;
   /* Adapter module for the files sub-system */
diff --git a/src/middlewares.js b/src/middlewares.js
@@ -384,8 +384,13 @@ export function allowCrossDomain(appId) {
     if (config && config.allowHeaders) {
       allowHeaders += `, ${config.allowHeaders.join(', ')}`;
     }
-    const allowOrigin = (config && config.allowOrigin) || '*';
-    res.header('Access-Control-Allow-Origin', allowOrigin);
+
+    const baseOrigins =
+      typeof config?.allowOrigin === 'string' ? [config.allowOrigin] : config?.allowOrigin ?? ['*'];
+    const requestOrigin = req.headers.origin;
+    const allowOrigins =
+      requestOrigin && baseOrigins.includes(requestOrigin) ? requestOrigin : baseOrigins[0];
+    res.header('Access-Control-Allow-Origin', allowOrigins);
     res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
     res.header('Access-Control-Allow-Headers', allowHeaders);
     res.header('Access-Control-Expose-Headers', 'X-Parse-Job-Status-Id, X-Parse-Push-Status-Id');

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,9 @@ function mapperFor(elt, t) {`
`161`	`161`	`if (type == 'NumberOrBoolean') {`
`162`	`162`	`return wrap(t.identifier('numberOrBooleanParser'));`
`163`	`163`	`}`
	`164`	`+ if (type === 'StringOrStringArray') {`
	`165`	`+ return wrap(t.identifier('arrayParser'));`
	`166`	`+ }`
`164`	`167`	`return wrap(t.identifier('objectParser'));`
`165`	`168`	`}`
`166`	`169`	`}`
`@@ -278,6 +281,9 @@ function inject(t, list) {`
`278`	`281`	`const adapterType = elt.typeAnnotation.typeParameters.params[0].id.name;`
`279`	`282`	type = `Adapter<${adapterType}>`;
`280`	`283`	`}`
	`284`	`+ if (type === 'StringOrStringArray') {`
	`285`	`+ type = 'String\|String[]';`
	`286`	`+ }`
`281`	`287`	comments += ` * @property {${type}} ${elt.name} ${elt.help}\n`;
`282`	`288`	`const obj = t.objectExpression(props);`
`283`	`289`	`return t.objectProperty(t.stringLiteral(elt.name), obj);`