Optional CORS headers, disabled by default

CHANGELOG.md

@@ -1,5 +1,7 @@
 # Changelog
 
+* TBD:
+  * New "cors" option that when enabled the server will allow CORS requests - disabled by default.
 * v0.26.2:
   * Latest lightning-backends fixed GetAlby (again)
 * v0.26.1:

lib/Server.js

@@ -75,6 +75,8 @@ Server.prototype.defaultOptions = {
 	listen: true,
 	// The URL where the server is externally reachable (e.g "http://your-lnurl-server.com"):
 	url: null,
+	// Whether or not to allow CORS requests:
+	cors: false,
 	// The URI path of the web API end-point:
 	endpoint: '/lnurl',
 	auth: {
@@ -238,6 +240,16 @@ Server.prototype.createWebServer = function(options) {
 	const middleware = this.middleware();
 	app.use(middleware.stripHeaders);
 	app.use(middleware.logRequests);
+	if (options.cors) {
+		app.all('*', function(req, res, next) {
+			res.setHeader('Access-Control-Allow-Origin', '*');
+			next();
+		});
+		app.options('*', function(req, res, next) {
+			res.setHeader('Allow', 'OPTIONS, GET, HEAD');
+			return res.status(200).send('');
+		});
+	}
 	app.get('/status',
 		middleware.hook['status'],
 		middleware.status

test/unit/lib/Server/cors.js

@@ -0,0 +1,96 @@
+const assert = require('assert');
+
+describe('CORS', function() {
+
+	describe('false (default)', function() {
+
+		let server;
+		before(function() {
+			server = this.helpers.createServer({
+				lightning: { backend: 'dummy', config: {} },
+			});
+			return server.onReady();
+		});
+
+		after(function() {
+			if (server) return server.close();
+		});
+
+		describe('OPTIONS *', function() {
+
+			it('response error', function() {
+				return this.helpers.request('options', {
+					url: server.getCallbackUrl(),
+				}).then(result => {
+					const { response, body } = result;
+					assert.strictEqual(response.statusCode, 404);
+					assert.ok(!response.headers['allow']);
+					assert.ok(!response.headers['access-control-allow-origin']);
+				});
+			});
+		});
+
+		describe('GET /status', function() {
+
+			it('response does not include CORS headers', function() {
+				return this.helpers.request('get', {
+					url: server.getUrl('/status'),
+				}).then(result => {
+					const { response, body } = result;
+					assert.strictEqual(response.statusCode, 200);
+					assert.ok(!response.headers['access-control-allow-origin']);
+					assert.deepStrictEqual(body, {
+						status: 'OK',
+					});
+				});
+			});
+		});
+	});
+
+	describe('true', function() {
+
+		let server;
+		before(function() {
+			server = this.helpers.createServer({
+				lightning: { backend: 'dummy', config: {} },
+				cors: true,
+			});
+			return server.onReady();
+		});
+
+		after(function() {
+			if (server) return server.close();
+		});
+
+		describe('OPTIONS *', function() {
+
+			it('empty response with correct headers', function() {
+				return this.helpers.request('options', {
+					url: server.getCallbackUrl(),
+				}).then(result => {
+					const { response, body } = result;
+					assert.strictEqual(response.statusCode, 200);
+					assert.strictEqual(response.headers['allow'], 'OPTIONS, GET, HEAD');
+					assert.strictEqual(response.headers['access-control-allow-origin'], '*');
+					assert.strictEqual(body, '');
+				});
+			});
+		});
+
+		describe('GET /status', function() {
+
+			it('response includes CORS headers', function() {
+				return this.helpers.request('get', {
+					url: server.getUrl('/status'),
+				}).then(result => {
+					const { response, body } = result;
+					assert.strictEqual(response.statusCode, 200);
+					assert.strictEqual(response.headers['access-control-allow-origin'], '*');
+					assert.deepStrictEqual(body, {
+						status: 'OK',
+					});
+				});
+			});
+		});
+	});
+});