fix: Add custom domains to CORS allow list

theopensystemslab · Jan 16, 2024 · 611823f · 611823f
1 parent f34adf1
commit 611823f
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 5 deletions.
diff --git a/api.planx.uk/server.ts b/api.planx.uk/server.ts
@@ -38,11 +38,19 @@ useSwaggerDocs(app);
 
 app.set("trust proxy", 1);
 
+const CORS_ALLOWLIST = process.env.CORS_ALLOWLIST?.split(", ") || [];
+
 app.use(
   cors({
     credentials: true,
     methods: "*",
-    origin: process.env.EDITOR_URL_EXT,
+    origin: function (origin, callback) {
+      if (origin && CORS_ALLOWLIST.includes(origin)) {
+        callback(null, true);
+      } else {
+        callback(new Error("Not allowed by CORS"));
+      }
+    },
     allowedHeaders: [
       "Accept",
       "Authorization",

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -141,6 +141,7 @@ services:
       SLACK_WEBHOOK_URL: ${SLACK_WEBHOOK_URL}
       ORDNANCE_SURVEY_API_KEY: ${ORDNANCE_SURVEY_API_KEY}
       MINIO_PORT: ${MINIO_PORT}
+      CORS_ALLOWLIST: ${EDITOR_URL_EXT}
       # Local authority config
       # Lambeth
       GOV_UK_PAY_TOKEN_LAMBETH: ${GOV_UK_PAY_TOKEN_LAMBETH}
@@ -153,7 +154,7 @@ services:
       UNIFORM_CLIENT_AYLESBURY_VALE: ${UNIFORM_CLIENT_AYLESBURY_VALE}
       UNIFORM_CLIENT_CHILTERN: ${UNIFORM_CLIENT_CHILTERN}
       UNIFORM_CLIENT_WYCOMBE: ${UNIFORM_CLIENT_WYCOMBE}
-      #Medway
+      # Medway
       GOV_UK_PAY_TOKEN_MEDWAY: ${GOV_UK_PAY_TOKEN_MEDWAY}
 
   sharedb:

diff --git a/infrastructure/application/index.ts b/infrastructure/application/index.ts
@@ -10,9 +10,9 @@ import * as mime from "mime";
 import * as tldjs from "tldjs";
 import * as url from "url";
 
-import { generateTeamSecrets } from "./utils/generateTeamSecrets";
+import { generateTeamSecrets, generateCORSAllowList, addRedirectToCloudFlareListenerRule } from "./utils";
 import { createHasuraService } from "./services/hasura";
-import { addRedirectToCloudFlareListenerRule } from "./utils/addListenerRule";
+import { CustomDomains } from "../common/teams";
 
 const config = new pulumi.Config();
 
@@ -25,7 +25,7 @@ const data = new pulumi.StackReference(`planx/data/${env}`);
 // You can generate tokens here: https://dash.cloudflare.com/profile/api-tokens
 new pulumi.Config("cloudflare").requireSecret("apiToken");
 
-const CUSTOM_DOMAINS =
+const CUSTOM_DOMAINS: CustomDomains =
   env === "production"
     ? [
         {
@@ -377,6 +377,7 @@ export = async () => {
             name: "ORDNANCE_SURVEY_API_KEY",
             value: config.requireSecret("ordnance-survey-api-key"),
           },
+          generateCORSAllowList(CUSTOM_DOMAINS, DOMAIN),
           ...generateTeamSecrets(config, env),
         ],
       },

diff --git a/infrastructure/application/utils/generateCORSAllowList.ts b/infrastructure/application/utils/generateCORSAllowList.ts
@@ -0,0 +1,16 @@
+import * as awsx from "@pulumi/awsx";
+
+import { CustomDomains } from "../../common/teams";
+
+export const generateCORSAllowList = (customDomains: CustomDomains, domain: string): awsx.ecs.KeyValuePair => {
+  const customDomainURLs = customDomains.map(team => team.domain);
+  const editorURL = `https://${domain}`;
+  const corsAllowList = [...customDomainURLs, editorURL];
+
+  const secret: awsx.ecs.KeyValuePair = {
+    name: "CORS_ALLOWLIST",
+    value: corsAllowList.join(", "),
+  };
+
+  return secret;
+};
diff --git a/infrastructure/application/utils/index.ts b/infrastructure/application/utils/index.ts
@@ -0,0 +1,3 @@
+export * from "./addListenerRule";
+export * from "./generateCORSAllowList";
+export * from "./generateTeamSecrets";
diff --git a/infrastructure/common/teams.ts b/infrastructure/common/teams.ts
@@ -31,4 +31,9 @@ export const teams: Team[] = [
   },
 ];
 
+export type CustomDomains = Array<{
+  name: string,
+  domain: string
+}>;
+
 export default { teams }