feat: Handle map doc CORS at server level

theopensystemslab · Jan 18, 2024 · 10fe0de · 10fe0de
1 parent 742ee9e
commit 10fe0de
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 122 deletions.
diff --git a/api.planx.uk/modules/ordnanceSurvey/middleware.ts b/api.planx.uk/modules/ordnanceSurvey/middleware.ts
diff --git a/api.planx.uk/modules/ordnanceSurvey/ordnanceSurvey.test.ts b/api.planx.uk/modules/ordnanceSurvey/ordnanceSurvey.test.ts
@@ -57,76 +57,6 @@ describe("Ordnance Survey proxy endpoint", () => {
         });
       });
   });
-
-  describe("CORS functionality", () => {
-    it("blocks requests which are not from a valid referrer", async () => {
-      await get(ENDPOINT + TILE_PATH)
-        .set({ origin: "https://www.invalid-site.com" })
-        .expect(401)
-        .then((response) => {
-          expect(response.body).toEqual({
-            error: "Unauthorised",
-          });
-        });
-    });
-
-    it("allows requests from allow-listed URLs", async () => {
-      nock(OS_DOMAIN)
-        .get(TILE_PATH)
-        .query({ key: process.env.ORDNANCE_SURVEY_API_KEY })
-        .reply(200, { test: "returned tile" });
-
-      await get(ENDPOINT + TILE_PATH)
-        .set({ origin: "https://oslmap.netlify.app" })
-        .expect(200)
-        .then((response) => {
-          expect(response.body).toEqual({
-            test: "returned tile",
-          });
-          expect(response.headers["cross-origin-resource-policy"]).toEqual(
-            "cross-origin",
-          );
-        });
-    });
-
-    it("allows requests from PlanX", async () => {
-      nock(OS_DOMAIN)
-        .get(TILE_PATH)
-        .query({ key: process.env.ORDNANCE_SURVEY_API_KEY })
-        .reply(200, { test: "returned tile" });
-
-      await get(ENDPOINT + TILE_PATH)
-        .set({ origin: "https://www.planx.dev" })
-        .expect(200)
-        .then((response) => {
-          expect(response.body).toEqual({
-            test: "returned tile",
-          });
-          expect(response.headers["cross-origin-resource-policy"]).toEqual(
-            "cross-origin",
-          );
-        });
-    });
-
-    it("allows requests from custom domains", async () => {
-      nock(OS_DOMAIN)
-        .get(TILE_PATH)
-        .query({ key: process.env.ORDNANCE_SURVEY_API_KEY })
-        .reply(200, { test: "returned tile" });
-
-      await get(ENDPOINT + TILE_PATH)
-        .set({ origin: "https://planningservices.buckinghamshire.gov.uk" })
-        .expect(200)
-        .then((response) => {
-          expect(response.body).toEqual({
-            test: "returned tile",
-          });
-          expect(response.headers["cross-origin-resource-policy"]).toEqual(
-            "cross-origin",
-          );
-        });
-    });
-  });
 });
 
 describe("appendAPIKey helper function", () => {

diff --git a/api.planx.uk/modules/ordnanceSurvey/routes.ts b/api.planx.uk/modules/ordnanceSurvey/routes.ts
@@ -1,9 +1,8 @@
 import { Router } from "express";
 import { useOrdnanceSurveyProxy } from "./controller";
-import { osProxyCORS } from "./middleware";
 
 const router = Router();
 
-router.use("/proxy/ordnance-survey", osProxyCORS, useOrdnanceSurveyProxy);
+router.use("/proxy/ordnance-survey", useOrdnanceSurveyProxy);
 
 export default router;
diff --git a/api.planx.uk/server.ts b/api.planx.uk/server.ts
@@ -43,8 +43,9 @@ const checkAllowedOrigins: CorsOptions["origin"] = (origin, callback) => {
   const isDevelopment = process.env.APP_ENVIRONMENT === "development";
   const allowList = process.env.CORS_ALLOWLIST?.split(", ") || [];
   const isAllowed = Boolean(origin && allowList.includes(origin));
+  const isMapDocs = Boolean(origin?.endsWith("oslmap.netlify.app"));
 
-  !origin || isTest || isDevelopment || isAllowed
+  !origin || isTest || isDevelopment || isAllowed || isMapDocs
     ? callback(null, true)
     : callback(new Error("Not allowed by CORS"));
 };